Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unrestricted access with canvadoc_session_url #1905

Closed
gaukas opened this issue Jun 29, 2021 · 0 comments
Closed

unrestricted access with canvadoc_session_url #1905

gaukas opened this issue Jun 29, 2021 · 0 comments

Comments

@gaukas
Copy link

gaukas commented Jun 29, 2021

Disclaimer

This is an active exploit and it might be actively utilized. I don't know if this is a proper place to file for it but I find no better place elsewhere after my email got no response in 1 month. I choose to publish it here during the summer break to minimizing the potential impact.

I would suggest publishing a Security Advisories to raise awareness if see fit.

Summary:

canvadoc_session_url could be exploited for unrestricted access to unpublished content.

Steps to reproduce:

  1. Get API access to Canvas as a student to a specific course.
  2. [Optional] Bruteforce finding file ID for a specific course ID. For example: https://canvas.myschool.edu/api/v1/courses/$CourseID/files/$FileID
    • This step could be optimized with knowledge of the approximate file ID range and/or the keyword in the filename.
  3. Access canvadoc_session_url in the JSON object returned by the API.

Expected behavior:

The canvadoc_session_url should deny access for whoever logged in Canvas as a student if the file is not published.

Actual behavior:

Access to locked/unpublished files is granted to students via canvadoc_session_url. The student will be redirected to a DocViewer under https://canvadocs.instructure.com/

Additional notes:

This exploited might already be fixed in a new version. But please understand different institutions might not be using the same up-to-date version of Canvas as I clearly see different access verification levels from different institutions.
If that is the case, please kindly notify users to update to a minimal version with a feasible fix.

Otherwise, proper permission checking for /api/v1/canvadoc_session should be easy to implement and enforce.

Credits go to @yl4579 for realizing this potential exploit in a tea-time discussion with me.

@gaukas gaukas closed this as completed Aug 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant