[MDL-68276] Standard log entries can be manipulated - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.5.11, 3.6.9, 3.7.5, 3.8.2
Fix Version/s: 3.8.4
Component/s: Administration, Logging
Labels:

Affected Branches:
MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
Fixed Branches:
MOODLE_38_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull Master Branch:
~~MDL-68276~~-replace-logs
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...brendanheywood:MDL-68276-replace-logs
Testing Instructions:

Hide

Covered by unit tests

1) Run:

php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive

2) Run:

php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive

3) Visit: /report/loglive/index.php

4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

Show
Covered by unit tests 1) Run: php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive 2) Run: php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive 3) Visit: /report/loglive/index.php 4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

Description

This is a bug in that a compromised admin account can use this to cover it's tracks to some degree.

This was found while testing ~~MDL-68193~~

1) I did a search and replace, which is now correctly logged (see ~~MDL-68193~~)

2) But I can use the search and replace to manipulate the logs as well:

3) Showing the now re-written logs:

This isn't confined to this new event, you can replace anything in the logs.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

0001-MDL-68276-admin-Skip-all-log-tables-in-db_replace.patch
0.9 kB
27/Mar/20 8:11 PM
image-2020-03-27-22-46-02-826.png
41 kB
27/Mar/20 7:46 PM
image-2020-03-27-22-47-14-819.png
21 kB
27/Mar/20 7:47 PM
image-2020-03-27-22-47-33-079.png
53 kB
27/Mar/20 7:47 PM
MDL-68276.jpg
25 kB
12/May/20 12:14 PM

Issue Links

is duplicated by

MDL-52911 Add new log table to db_replace function whitelist array

Closed

will help resolve

MDL-52911 Add new log table to db_replace function whitelist array

Closed

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Peer reviewer:: Peter Burnett

Integrator:: Eloy Lafuente (stronk7)

Tester:: Anna Carissa Sadia

Participants:: Anna Carissa Sadia, Brendan Heywood, CiBoT, Eloy Lafuente (stronk7), Peter Burnett, Peter Spicer

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 27/Mar/20 7:44 PM

Updated:: 12/May/20 8:41 PM

Resolved:: 12/May/20 8:41 PM

Fix Release Date:: 13/Jul/20

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 15m