Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68276

Standard log entries can be manipulated

    XMLWordPrintable

Details

    • MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • MOODLE_38_STABLE
    • MDL-68276-replace-logs
    • Hide

      Covered by unit tests

       1) Run:

      php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive

      2) Run:

      php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive

      3) Visit: /report/loglive/index.php

      4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

      Show
      Covered by unit tests  1) Run: php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive 2) Run: php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive 3) Visit: /report/loglive/index.php 4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

    Description

      This is a bug in that a compromised admin account can use this to cover it's tracks to some degree.

      This was found while testing MDL-68193

      1) I did a search and replace, which is now correctly logged (see MDL-68193)

      2) But I can use the search and replace to manipulate the logs as well:

      3) Showing the now re-written logs:

      This isn't confined to this new event, you can replace anything in the logs.

       

       

       

       

      Attachments

        1. 0001-MDL-68276-admin-Skip-all-log-tables-in-db_replace.patch
          0.9 kB
          Brendan Heywood
        2. image-2020-03-27-22-46-02-826.png
          41 kB
          Brendan Heywood
        3. image-2020-03-27-22-47-14-819.png
          21 kB
          Brendan Heywood
        4. image-2020-03-27-22-47-33-079.png
          53 kB
          Brendan Heywood
        5. MDL-68276.jpg
          25 kB
          Anna Carissa Sadia

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Peter Burnett Peter Burnett
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Anna Carissa Sadia Anna Carissa Sadia
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                13/Jul/20

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 15 minutes
                  2h 15m