CVE-2021-36539: unrestricted access with canvadoc_session_url · Issue #1905 · instructure/canvas-lms

Disclaimer

This is an active exploit and it might be actively utilized. I don’t know if this is a proper place to file for it but I find no better place elsewhere after my email got no response in 1 month. I choose to publish it here during the summer break to minimizing the potential impact.

I would suggest publishing a Security Advisories to raise awareness if see fit.

Summary:

canvadoc_session_url could be exploited for unrestricted access to unpublished content.

Steps to reproduce:

1. Get API access to Canvas as a student to a specific course.
2. [Optional] Bruteforce finding file ID for a specific course ID. For example: https://canvas.myschool.edu/api/v1/courses/$CourseID/files/$FileID
   • This step could be optimized with knowledge of the approximate file ID range and/or the keyword in the filename.
3. Access canvadoc_session_url in the JSON object returned by the API.

Expected behavior:

The canvadoc_session_url should deny access for whoever logged in Canvas as a student if the file is not published.

Actual behavior:

Access to locked/unpublished files is granted to students via canvadoc_session_url. The student will be redirected to a DocViewer under https://canvadocs.instructure.com/

Additional notes:

This exploited might already be fixed in a new version. But please understand different institutions might not be using the same up-to-date version of Canvas as I clearly see different access verification levels from different institutions.
If that is the case, please kindly notify users to update to a minimal version with a feasible fix.

Otherwise, proper permission checking for /api/v1/canvadoc_session should be easy to implement and enforce.

Credits go to @yl4579 for realizing this potential exploit in a tea-time discussion with me.