Changing one's own password does not trigger a log

[NightJar]

Module version(s) affected

2.6.2 at least

Description

When an attacker breaches my account and changes my password, no auditor logs are generated - as if the event never happened.

How to reproduce

1. Log in to CMS
2. Click profile top left under site name
3. Change password

Expect: log in logs like when member logs in, or another user changes their password (e.g. via account reset)

Actual: no log at all

Possible Solution

No response

Additional Context

No response

Validations

• [X] Check that there isn't already an issue that reports the same bug
• [X] Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

[NightJar]

Originally submitted as a security concern, the team assessed it as

not a security vulnerability

---

Briefly:

• Module: silverstripe/auditor
• Issue: unlogged activity (on a monitored object & activity)

Versions:

• silverstripe/framework: 4.13.44
• silverstripe/auditor: 2.6.2

I presume upwards (and probably downwards) of both versions.

Also of note:

• silverstripe/mfa: 4.8.2

What I have noticed is a lack of logging when a member updates their own password. What I expected is a report that a Member was modified by the member with the same ID.

E.g. [2024-07-11 16:44:22] audit.INFO: "test" (ID: 3) modified Member (ID: 3, ClassName: SilverStripe\Security\Member, Title: "test test", Effective groups: ) [] [] (this log line is edited, not real output)

Instead there is no output whatsoever, only a successful log in note afterward.

[2024-07-11 16:45:20] audit.INFO: "test" (ID: 3) successfully logged in [] []

I have tested:

• Saving "Require password change on next log in" for "test" user (as admin)
• Logging in as "test" user
•  Changing the password when prompted

[2024-07-11 21:04:28] audit.INFO: "admin" (ID: 1) modified Member (ID: 3, ClassName: SilverStripe\Security\Member, Title: "test test", Effective groups: ) [] [] <-- "Require password change on next log in" [2024-07-11 21:04:52] audit.INFO: "admin" (ID: 1) successfully logged out [] [] [2024-07-11 21:11:27] audit.INFO: "test" (ID: 3) successfully logged in [] [] [2024-07-11 21:12:38] audit.INFO: "test" (ID: 3) successfully logged in [] [] <-- changed password as required

• Logging in as "test" user
• visiting /Security/changepassword
• Successfully submitting the form (changing the password)

[2024-07-11 21:15:11] audit.INFO: "test" (ID: 3) successfully logged in [] [] <-- visiting /Security/changePassword [2024-07-11 21:25:22] audit.INFO: "test" (ID: 3) successfully logged in [] [] <-- after submitting to /Security/changepassword/ChangePasswordForm

To aid reproducing and testing I made the following config addition to the project in order to avoid crawling through syslog (my env var SS_ERROR_LOG is set to "silverstripe.log", and the dev box is Debian - adjust where necessary or desired of course):

---
Name: DevLog
Only:
  environment: dev
---
SilverStripe\Core\Injector\Injector:
  AuditLogger:
    calls:
      - [pushHandler, ['%$DevLogFile']]
  DevLogFile:
    class: Monolog\Handler\StreamHandler
    constructor: ['/var/www/myproject/silverstripe.log']

If I were to possess "borrowed" credentials, I could alter them without any trace to aid in any ensuing incident response. I suspect this issue may affect other areas, but I have not tested further.