Summary by sesamestrong
Cross-site-scripting vulnerability
I discovered a vulnerability in how Canvas handles broken images, which allows a cross-site-scripting attack on any Rich Content, like a post in a class discussion, a submission for an assignment, a description of an assignment, or an ePortfolio.
This vulnerability, like similar Rich Content Editor-based XSS vulnerabilities, could allow students to change their grades, find quiz answers, take control of their teacher's account, or make a worm that spreads throughout their school system, giving them access to many students' and teachers' accounts.
I noticed that Canvas used an old version of jQuery, which is vulnerable to CVE-2015-9251; this means that when making an XHR, if the server specifies a Content-Type of application/javascript, jQuery will execute whatever JS is in the response.
I found a way to trigger this vulnerability using Canvas' broken image handler, which detects broken images, then makes an XHR via jQuery to the image URL in order to detect the status code.
In order to trigger this, an attacker must set up a web server that checks the Accept header of an incoming request. If the header is for an image, then the server will wait a couple of seconds before throwing a 404. Then, to deliver the JS payload via jQuery, when the Accept header is consistent with an XHR, the server sends a Content-Type of application/javascript and delivers the payload.
Then the attacker inserts an image into the Rich Content Editor with a src pointing to the web server URL, and posts it; whenever a student or teacher sees the post, their browser will run whatever Javascript code the attacker specified.