Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68276

Standard log entries can be manipulated

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Covered by unit tests

       1) Run:

      php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive

      2) Run:

      php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive

      3) Visit: /report/loglive/index.php

      4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

      Show
      Covered by unit tests  1) Run: php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive 2) Run: php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive 3) Visit: /report/loglive/index.php 4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_38_STABLE
    • Pull Master Branch:
      MDL-68276-replace-logs

      Description

      This is a bug in that a compromised admin account can use this to cover it's tracks to some degree.

      This was found while testing MDL-68193

      1) I did a search and replace, which is now correctly logged (see MDL-68193)

      2) But I can use the search and replace to manipulate the logs as well:

      3) Showing the now re-written logs:

      This isn't confined to this new event, you can replace anything in the logs.

       

       

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              brendanheywood Brendan Heywood
              Reporter:
              brendanheywood Brendan Heywood
              Peer reviewer:
              Peter Burnett
              Integrator:
              Eloy Lafuente (stronk7)
              Tester:
              Anna Carissa Sadia
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                13/Jul/20

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 15 minutes
                  2h 15m