User passwords being saved in database event_log as plain text

Bug #1692749 reported by Robert Lyon on 2017-05-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
15.04
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Robert Lyon

Bug Description

If you turn full logging for you site via:

Admin -> Configure site -> Logging settings -> Log events

Then whenever a user is created via:

Admin -> Users -> Add user
Admin -> Users -> Add users by CSV

Or in fact any place where we create a user with the create_user() function we end up calling

handle_event('createuser', $user);

And if the $user object has password set then that is saved to event_log table

We need to:

1) stop that from happening - in fact only save to event_log only the bits of objects that make sense rather than everything, eg I notice that there are a lot of "dirty":true and things who's value is null (we can assume if key doesn't exist then it would be null rather than explicitly record that)

2) clean up existing data and at very least remove the saved passwords

CVE References

Robert Lyon (robertl-9) on 2017-05-25
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers