User passwords being saved in database event_log as plain text
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Robert Lyon | ||
| 15.04 |
Fix Released
|
High
|
Unassigned | ||
| 16.04 |
Fix Released
|
High
|
Unassigned | ||
| 16.10 |
Fix Released
|
High
|
Unassigned | ||
| 17.04 |
Fix Released
|
High
|
Unassigned | ||
| 17.10 |
Fix Released
|
High
|
Robert Lyon | ||
Bug Description
If you turn full logging for you site via:
Admin -> Configure site -> Logging settings -> Log events
Then whenever a user is created via:
Admin -> Users -> Add user
Admin -> Users -> Add users by CSV
Or in fact any place where we create a user with the create_user() function we end up calling
handle_
And if the $user object has password set then that is saved to event_log table
We need to:
1) stop that from happening - in fact only save to event_log only the bits of objects that make sense rather than everything, eg I notice that there are a lot of "dirty":true and things who's value is null (we can assume if key doesn't exist then it would be null rather than explicitly record that)
2) clean up existing data and at very least remove the saved passwords
CVE References
| information type: | Private Security → Public Security |
