forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: Marius on March 28, 2008, 06:55:01 am

Title: [Solved]: Possible security issue in CPG v1.4.16
Post by: Marius on March 28, 2008, 06:55:01 am

Hello
I want to announce a possible security issue in Coppermine 1.4.16, happened on my site monday, but posting this so late because i wanted to be sure.
So, some guy (program) registered on my site, using (CPG 1.4.16), and posted 1145 comments, 1 for every picture, containing spam, every comment containing 40+ lines of text, all linked, though my config for comments was for 10 lines and 512 characters max. I have found this on servers logs for that day:
..................................
66.186.33.226 - - [24/Mar/2008:00:00:02 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-789&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:03 -0400] "GET /displayimage.php?pos=-788&lang=english HTTP/1.1" 200 36357 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:08 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16175 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-788&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:09 -0400] "GET /displayimage.php?pos=-787&lang=english HTTP/1.1" 200 36496 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:14 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-787&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:16 -0400] "GET /displayimage.php?pos=-786&lang=english HTTP/1.1" 200 36430 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:21 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-786&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:22 -0400] "GET /displayimage.php?pos=-785&lang=english HTTP/1.1" 200 36295 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
64.1.215.162 - - [24/Mar/2008:00:00:25 -0400] "GET /displayimage-45-6.html HTTP/1.0" 200 29143 www.my-site.ro "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:27 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-785&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:28 -0400] "GET /displayimage.php?pos=-784&lang=english HTTP/1.1" 200 36435 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:33 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-784&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:34 -0400] "GET /displayimage.php?pos=-783&lang=english HTTP/1.1" 200 36477 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:39 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-783&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:40 -0400] "GET /displayimage.php?pos=-782&lang=english HTTP/1.1" 200 36300 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
61.247.217.36 - - [24/Mar/2008:00:00:44 -0400] "GET /thumbnails-search-Cameron&lang=albanian.html HTTP/1.1" 200 23786 www.my-site.ro "-" "Yeti/1.0 (+http://help.naver.com/robots/)" "-"
64.1.215.162 - - [24/Mar/2008:00:00:44 -0400] "GET /slideshow-lastup--25-336-4000.html HTTP/1.0" 200 21549 www.my-site.ro "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:45 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168 www.my-site.ro "http://www.my-site.ro/displayimage.php?pos=-782&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:47 -0400] "GET /displayimage.php?pos=-781&lang=english HTTP/1.1" 200 36302 www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
.........................................................................

and so on.
I want to mention this, captcha 3.0 plugin was not installed at that time, my mistake...
If this is a false alarm,i apologize in advance, but for a non technical person like me this looks like an automated sql injection attack from this IP, 66.186.33.226 (probably dynamicaly generated), using "db_input.php" statement. Please someone from CPG technical staff advice on this matter.

Best regards

Title: Re: Possible security issue in CPG v1.4.16
Post by: Joachim Müller on March 28, 2008, 08:20:37 am

How is this supposed to be a security issue? If you allow guest comments, this is to be expected.

Title: Re: Possible security issue in CPG v1.4.16
Post by: Marius on March 29, 2008, 06:00:09 am

I didn't, comments are enabled only to registered, that's exactly the point, pls read more carrefully my post:

Quote

...some guy (program) registered on my site, using (CPG 1.4.16), and posted 1145 comments,...

Title: Re: Possible security issue in CPG v1.4.16
Post by: Marius on March 29, 2008, 06:39:02 am

After reading more in this forum i see that comments spam is a well known issue, found this mod (http://forum.coppermine-gallery.net/index.php/topic,36235.msg180951.html#msg180951) (linked to most relevant post for my problem)