Hi! I have a Moodle 3.3 and some courses to students with low level of digital-literacy in remote regions of my country. In one of my courses there's a student that are "stealing" other students passwords and "hacking" their accounts. The pretend hacker just change their picture and their status.
I talked to the class teacher and we took steps to prevent an incident like that from occurring again. However, in an attempt to discover the attacker, I saw that he left the following HTML in one of the profiles:
<img
src = "MYSITEADRESS / draftfile.php / 5 / user / draft / 89908003 /
how-to-hacker-hackersec.png" alt = "HACKEADO" class =
"atto_image_button_middle" width = "400" height = "200">
I opened draftfile.php and found the following lines of code:
$ userid = $ context-> instanceid;
if ($ USER-> id! = $ userid) {
print_error ('invaliduserid');
}
$ fs = get_file_storage ();
$ relativepath = implode ('/', $ args);
$ fullpath = "/ $ context-> id / user / draft / $ draftid / $ relativepath";
if (! $ file = $ fs-> get_file_by_hash (sha1 ($ fullpath)) or $ file-> get_filename () == '.') {
send_file_not_found ();
}
It seems that this number in "draftfile.php" is the ID number of the student that uploaded this pic. Is my reasoning correct? If yes, how can I identify which student has id 5 in the system? I created IDs for all students, but they are numbers with more digits than one... so I think this ID number 5 is some kind of Moodle only ID.