Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: SQL Injection  (Read 5746 times)

0 Members and 1 Guest are viewing this topic.

idosha

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 27
SQL Injection
« on: April 04, 2019, 10:46:34 pm »

I keep getting these emails from CSF regarding SQL injection on thumbnails.php - I have the newest version of coppermine gallery 1.5.48

Is this something I should be worried about, does it indicate a security hole in coppermine?

Time:     Thu Apr  4 15:38:49 2019 -0500
IP:       58.64.152.132 (HK/Hong Kong/-)
Failures: 10 (mod_security)
Interval: 300 seconds
Blocked:  Permanent Block [LF_TRIGGER]

Log entries:

[Thu Apr 04 15:38:42.813670 2019] [:error] [pid 126108:tid 47266698782464] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45)--||T:APACHE||PC:6662"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrUmDb-R0DorRXKe96OQAAAEA"]
[Thu Apr 04 15:38:43.336074 2019] [:error] [pid 128274:tid 47266811393792] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45)--||T:APACHE||PC:9763"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrU-kDohBGrzzvJtSadQAAANU"]
[Thu Apr 04 15:38:43.797690 2019] [:error] [pid 136302:tid 47266811393792] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45)--||T:APACHE||PC:9907"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrU43@k15E0xRmuJ4NYQAAAVU"]
[Thu Apr 04 15:38:44.236629 2019] [:error] [pid 128274:tid 47266800887552] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45)--||T:APACHE||PC:7231"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVPkDohBGrzzvJtSafQAAANA"]
[Thu Apr 04 15:38:44.703531 2019] [:error] [pid 126647:tid 47266698782464] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45)--||T:APACHE||PC:9410"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVLbtqEKLr3XRM62gsgAAAIA"]
[Thu Apr 04 15:38:45.181850 2019] [:error] [pid 136302:tid 47266707187456] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45)--||T:APACHE||PC:10380"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVY3@k15E0xRmuJ4NbgAAAUQ"]
[Thu Apr 04 15:38:45.666095 2019] [:error] [pid 128274:tid 47266711389952] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45)--||T:APACHE||PC:10800"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVfkDohBGrzzvJtSaiQAAAMY"]
[Thu Apr 04 15:38:46.139750 2019] [:error] [pid 136302:tid 47266711389952] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45)--||T:APACHE||PC:10177"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVo3@k15E0xRmuJ4NdAAAAUY"]
[Thu Apr 04 15:38:46.618764 2019] [:error] [pid 126108:tid 47266705086208] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45),char(45,120,57,45,81,45)--||T:APACHE||PC:7759"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVmDb-R0DorRXKe96VgAAAEM"]
[Thu Apr 04 15:38:47.100731 2019] [:error] [pid 136302:tid 47266809292544] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45),char(45,120,57,45,81,45),char(45,120,49,48,45,81,45)--||T:APACHE||PC:9188"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrV43@k15E0xRmuJ4NfAAAAVQ"]
Logged

phill104

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4885
    • Windsurf.me
Re: SQL Injection
« Reply #1 on: April 04, 2019, 10:53:24 pm »

All those messages seem to refer to Ginkgo CMS rather than Coppermine.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

idosha

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 27
Re: SQL Injection
« Reply #2 on: April 05, 2019, 02:45:31 am »

Yes, it does say that, but further down it also lists the actual file causing it which is [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"]

My guess is maybe the vulnerability that exists in Ginkgo CMS 5.0 (CVE-2013-5318 may also exist in Coppermine Gallery, otherwise the error makes no sense to me.
Logged

idosha

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 27
Re: SQL Injection
« Reply #3 on: April 05, 2019, 03:08:56 am »

The exploit involves execute arbitrary SQL commands via the rang parameter. I have no clue if it's applicable to the thumbnails.php file or if it's just a "dumb bot" trying random exploits on coppermine.

I assume if it wasn't for my Immunify 360 custom rule that the SQL injection might actually be successful?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
Re: SQL Injection
« Reply #4 on: April 09, 2019, 12:53:45 pm »

As far as I know Coppermine doesn't use "rang" as parameter anywhere. I'm also not aware of an exploit for cpg1.5.48.
Logged
Pages: [1]   Go Up
 

Page created in 0.028 seconds with 19 queries.