Open NightJar opened 5 days ago
Originally submitted as a security concern, the team assessed it as
not a security vulnerability
Briefly:
silverstripe/auditor
Versions:
silverstripe/framework
: 4.13.44
silverstripe/auditor
: 2.6.2
I presume upwards (and probably downwards) of both versions.
Also of note:
silverstripe/mfa
: 4.8.2
What I have noticed is a lack of logging when a member updates their own password. What I expected is a report that a Member was modified by the member with the same ID.
E.g.
[2024-07-11 16:44:22] audit.INFO: "test" (ID: 3) modified Member (ID: 3, ClassName: SilverStripe\Security\Member, Title: "test test", Effective groups: ) [] []
(this log line is edited, not real output)
Instead there is no output whatsoever, only a successful log in note afterward.
[2024-07-11 16:45:20] audit.INFO: "test" (ID: 3) successfully logged in [] []
I have tested:
[2024-07-11 21:04:28] audit.INFO: "admin" (ID: 1) modified Member (ID: 3, ClassName: SilverStripe\Security\Member, Title: "test test", Effective groups: ) [] []
<-- "Require password change on next log in"
[2024-07-11 21:04:52] audit.INFO: "admin" (ID: 1) successfully logged out [] []
[2024-07-11 21:11:27] audit.INFO: "test" (ID: 3) successfully logged in [] []
[2024-07-11 21:12:38] audit.INFO: "test" (ID: 3) successfully logged in [] []
<-- changed password as required
[2024-07-11 21:15:11] audit.INFO: "test" (ID: 3) successfully logged in [] []
<-- visiting /Security/changePassword
[2024-07-11 21:25:22] audit.INFO: "test" (ID: 3) successfully logged in [] []
<-- after submitting to /Security/changepassword/ChangePasswordForm
To aid reproducing and testing I made the following config addition to the project in order to avoid crawling through syslog (my env var SS_ERROR_LOG
is set to "silverstripe.log"
, and the dev box is Debian - adjust where necessary or desired of course):
---
Name: DevLog
Only:
environment: dev
---
SilverStripe\Core\Injector\Injector:
AuditLogger:
calls:
- [pushHandler, ['%$DevLogFile']]
DevLogFile:
class: Monolog\Handler\StreamHandler
constructor: ['/var/www/myproject/silverstripe.log']
If I were to possess "borrowed" credentials, I could alter them without any trace to aid in any ensuing incident response. I suspect this issue may affect other areas, but I have not tested further.
Module version(s) affected
2.6.2 at least
Description
When an attacker breaches my account and changes my password, no auditor logs are generated - as if the event never happened.
How to reproduce
Expect: log in logs like when member logs in, or another user changes their password (e.g. via account reset)
Actual: no log at all
Possible Solution
No response
Additional Context
No response
Validations
silverstripe/installer
(with any code examples you've provided)