[MDL-68276] Standard log entries can be manipulated - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.5.11, 3.6.9, 3.7.5, 3.8.2
Fix Version/s: 3.8.4
Component/s: Administration, Logging
Labels:

Affected Branches:
MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
Fixed Branches:
MOODLE_38_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull Main Branch:
~~MDL-68276~~-replace-logs
Pull Main Diff URL:
https://github.com/moodle/moodle/compare/master...brendanheywood:MDL-68276-replace-logs
Testing Instructions:

Hide

Covered by unit tests

1) Run:

php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive

2) Run:

php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive

3) Visit: /report/loglive/index.php

4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

Show
Covered by unit tests 1) Run: php admin/tool/replace/cli/replace.php --search=randomstring1 --replace=randomstring2 --non-interactive 2) Run: php admin/tool/replace/cli/replace.php --search=randomstring2 --replace=randomstring3 --non-interactive 3) Visit: /report/loglive/index.php 4) Confirm that the log entry for the first item still says 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring2' in the database.' and not 'The user with id '0' replaced the string 'randomstring1' with the string 'randomstring3' in the database.

Description

This is a bug in that a compromised admin account can use this to cover it's tracks to some degree.

This was found while testing ~~MDL-68193~~

1) I did a search and replace, which is now correctly logged (see ~~MDL-68193~~)

2) But I can use the search and replace to manipulate the logs as well:

3) Showing the now re-written logs:

This isn't confined to this new event, you can replace anything in the logs.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

0001-MDL-68276-admin-Skip-all-log-tables-in-db_replace.patch
27/Mar/20 8:11 PM
0.9 kB
Brendan Heywood
image-2020-03-27-22-46-02-826.png
27/Mar/20 7:46 PM
41 kB
Brendan Heywood
image-2020-03-27-22-47-14-819.png
27/Mar/20 7:47 PM
21 kB
Brendan Heywood
image-2020-03-27-22-47-33-079.png
27/Mar/20 7:47 PM
53 kB
Brendan Heywood
MDL-68276.jpg
12/May/20 12:14 PM
25 kB
Anna Carissa Sadia

Issue Links

is duplicated by

MDL-52911 Add new log table to db_replace function whitelist array

Closed

will help resolve

MDL-52911 Add new log table to db_replace function whitelist array

Closed

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Peer reviewer:: Peter Burnett

Integrator:: Eloy Lafuente (stronk7)

Tester:: Anna Carissa Sadia

Participants:: Anna Carissa Sadia, Brendan Heywood, CiBoT, Eloy Lafuente (stronk7), Peter Burnett, Peter Spicer

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 27/Mar/20 7:44 PM

Updated:: 12/May/20 8:41 PM

Resolved:: 12/May/20 8:41 PM

Fix Release Date:: 13/Jul/20

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 15m