Hello
I want to announce a possible security issue in Coppermine 1.4.16, happened on my site monday, but posting this so late because i wanted to be sure.
So, some guy (program) registered on my site, using (CPG 1.4.16), and posted 1145 comments, 1 for every picture, containing spam, every comment containing 40+ lines of text, all linked, though my config for comments was for 10 lines and 512 characters max. I have found this on servers logs for that day:
..................................
66.186.33.226 - - [24/Mar/2008:00:00:02 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-789&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:03 -0400] "GET /displayimage.php?pos=-788&lang=english HTTP/1.1" 200 36357
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:08 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16175
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-788&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:09 -0400] "GET /displayimage.php?pos=-787&lang=english HTTP/1.1" 200 36496
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:14 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-787&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:16 -0400] "GET /displayimage.php?pos=-786&lang=english HTTP/1.1" 200 36430
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:21 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-786&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:22 -0400] "GET /displayimage.php?pos=-785&lang=english HTTP/1.1" 200 36295
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
64.1.215.162 - - [24/Mar/2008:00:00:25 -0400] "GET /displayimage-45-6.html HTTP/1.0" 200 29143
www.my-site.ro "-" "Mozilla/5.0 (Twiceler-0.9
http://www.cuill.com/twiceler/robot.html)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:27 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-785&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:28 -0400] "GET /displayimage.php?pos=-784&lang=english HTTP/1.1" 200 36435
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:33 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-784&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:34 -0400] "GET /displayimage.php?pos=-783&lang=english HTTP/1.1" 200 36477
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:39 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-783&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:40 -0400] "GET /displayimage.php?pos=-782&lang=english HTTP/1.1" 200 36300
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
61.247.217.36 - - [24/Mar/2008:00:00:44 -0400] "GET /thumbnails-search-Cameron&lang=albanian.html HTTP/1.1" 200 23786
www.my-site.ro "-" "Yeti/1.0 (+http://help.naver.com/robots/)" "-"
64.1.215.162 - - [24/Mar/2008:00:00:44 -0400] "GET /slideshow-lastup--25-336-4000.html HTTP/1.0" 200 21549
www.my-site.ro "-" "Mozilla/5.0 (Twiceler-0.9
http://www.cuill.com/twiceler/robot.html)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:45 -0400] "POST /db_input.php?lang=english HTTP/1.1" 302 16168
www.my-site.ro "
http://www.my-site.ro/displayimage.php?pos=-782&lang=english" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
66.186.33.226 - - [24/Mar/2008:00:00:47 -0400] "GET /displayimage.php?pos=-781&lang=english HTTP/1.1" 200 36302
www.my-site.ro "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
.........................................................................
and so on.
I want to mention this, captcha 3.0 plugin was not installed at that time, my mistake...
If this is a false alarm,i apologize in advance, but for a non technical person like me this looks like an automated sql injection attack from this IP, 66.186.33.226 (probably dynamicaly generated), using "db_input.php" statement. Please someone from CPG technical staff advice on this matter.
Best regards