Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Prolific logging of Configuration 'Edits' [RESOLVED]

fcheslackfcheslack New
edited September 2016 in Vanilla 2.0 - 2.8

Running Vanilla 2.2.1

I'm seeing a huge amount of logging (in GDN_Log table, but not anywhere obvious in the dashboard) of Operation 'Edit' and RecordType 'Configuration'.

  • An entry every 1 to 5 seconds.
  • They are not tied to any explicit edit of the configuration from the dashboard.
  • I can reliably add one that is tied to my user (InsertUserID) by loading a dashboard page, without taking any actions on it.
  • The majority are not tied to any UserID leading me to believe they are somehow being generated on page loads from any visitor.
  • (edit: it is happening on any page load, not just dashboard pages)

I'm wondering if there is a known reason for this. If it serves any purpose, or is a bug. Tied to some errant use of saveToConfig perhaps?
Any guidance would be appreciated.

As a side note, this also led me to notice that it is logging database credentials, which seems like maybe not a great idea.

Comments

  • RiverRiver MVP
    edited September 2016

    Interesting, Do you see this continue to happen if you disable all plugins and applications (obviously don't disable vanilla) via dashboard and use default theme.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • Yes, but I now see this does not happen on my local install. It only happens on an install deployed on AWS, so I guess this is a more specific edge case.

    One thing that occurred to me was that Vanilla does not actually have permission to edit config.php (because it can be running from multiple servers pointing at the same database, so the configs would get out of sync). That is also true on my local install though, where the extra logging does not happen.

  • RiverRiver MVP
    edited September 2016

    the other difference with local hosts almost never use vanilla analytics, don't know if that impacts anything.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • Unless there's something included in core that I don't see, I don't have analytics (Vanilla Statistics?) enabled on either.

  • Logging in class.configuration.php happens only when some change happens in the config. You can see what have been logged by looking at the table GDN_Log. You'll see that there are no details logged in the table (if I understood your question correct, that has been a concern).

    Could you please post your config.php, but delete database credentials, salt, api keys and other confident information? Maybe that way we can see an info which looks suspicious.

  • Turns out you did point me in the right direction River. It was Garden Analytics (not the Vanilla Statistics plugin which I thought you were talking about, but the core analytics). Didn't realize it would be on unless explicitly disabled in config.php (but it never gets put there, nor is it in config-defaults.php so I had no idea it existed until I tracked down where InstallationID and InstallationSecret came from).

    It was continually trying to save the installation ID and secret to the config, but failing (without throwing an error curiously, despite apparently checking if the file is writable).

  • RiverRiver MVP
    edited September 2016

    @fcheslack said:
    Turns out you did point me in the right direction River. It was Garden Analytics (not the Vanilla Statistics plugin which I thought you were talking about, but the core analytics). Didn't realize it would be on unless explicitly disabled in config.php (but it never gets put there, nor is it in config-defaults.php so I had no idea it existed until I tracked down where InstallationID and InstallationSecret came from).

    It was continually trying to save the installation ID and secret to the config, but failing (without throwing an error curiously, despite apparently checking if the file is writable).

    nice debugging. thought it might be analytics related but not sure why until you mentioned why.
    some older docs. http://docs.vanillaforums.com/help/addons/statistics/

    regarding:

    As a side note, this also led me to notice that it is logging database credentials, which seems like maybe not a great idea.

    @R_J said:
    Logging in class.configuration.php happens only when some change happens in the config. You can see what have been logged by looking at the table GDN_Log. You'll see that there are no details logged in the table (if I understood your question correct, that has been a concern).

    AFAIK, database credentials are serialized in the Data column along with other config info in the LOG table.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • Indeed. I did actually find that documentation. Alas only after I figured out what the problem was.

    AFIK, database credentials are serialized in the Data column along with other config info in the LOG table.

    Yes, when the config is saved, the initial and the new config objects are written to the log, including the DB credentials (library/core/class.configuration.php:1381).

Sign In or Register to comment.