SQL Injection

idosha · April 04, 2019, 10:46:34 PM

I keep getting these emails from CSF regarding SQL injection on thumbnails.php - I have the newest version of coppermine gallery 1.5.48

Is this something I should be worried about, does it indicate a security hole in coppermine?

Time: Thu Apr 4 15:38:49 2019 -0500
IP: 58.64.152.132 (HK/Hong Kong/-)
Failures: 10 (mod_security)
Interval: 300 seconds
Blocked: Permanent Block [LF_TRIGGER]

Log entries:

[Thu Apr 04 15:38:42.813670 2019] [:error] [pid 126108:tid 47266698782464] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45)--||T:APACHE||PC:6662"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrUmDb-R0DorRXKe96OQAAAEA"]
[Thu Apr 04 15:38:43.336074 2019] [:error] [pid 128274:tid 47266811393792] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45)--||T:APACHE||PC:9763"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrU-kDohBGrzzvJtSadQAAANU"]
[Thu Apr 04 15:38:43.797690 2019] [:error] [pid 136302:tid 47266811393792] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45)--||T:APACHE||PC:9907"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrU43@k15E0xRmuJ4NYQAAAVU"]
[Thu Apr 04 15:38:44.236629 2019] [:error] [pid 128274:tid 47266800887552] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45)--||T:APACHE||PC:7231"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVPkDohBGrzzvJtSafQAAANA"]
[Thu Apr 04 15:38:44.703531 2019] [:error] [pid 126647:tid 47266698782464] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45)--||T:APACHE||PC:9410"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVLbtqEKLr3XRM62gsgAAAIA"]
[Thu Apr 04 15:38:45.181850 2019] [:error] [pid 136302:tid 47266707187456] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45)--||T:APACHE||PC:10380"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVY3@k15E0xRmuJ4NbgAAAUQ"]
[Thu Apr 04 15:38:45.666095 2019] [:error] [pid 128274:tid 47266711389952] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45)--||T:APACHE||PC:10800"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVfkDohBGrzzvJtSaiQAAAMY"]
[Thu Apr 04 15:38:46.139750 2019] [:error] [pid 136302:tid 47266711389952] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45)--||T:APACHE||PC:10177"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVo3@k15E0xRmuJ4NdAAAAUY"]
[Thu Apr 04 15:38:46.618764 2019] [:error] [pid 126108:tid 47266705086208] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45),char(45,120,57,45,81,45)--||T:APACHE||PC:7759"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVmDb-R0DorRXKe96VgAAAEM"]
[Thu Apr 04 15:38:47.100731 2019] [:error] [pid 136302:tid 47266809292544] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45),char(45,120,57,45,81,45),char(45,120,49,48,45,81,45)--||T:APACHE||PC:9188"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrV43@k15E0xRmuJ4NfAAAAVQ"]

phill104 · April 04, 2019, 10:53:24 PM

All those messages seem to refer to Ginkgo CMS rather than Coppermine.

idosha · April 05, 2019, 02:45:31 AM

Yes, it does say that, but further down it also lists the actual file causing it which is [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"]

My guess is maybe the vulnerability that exists in Ginkgo CMS 5.0 (CVE-2013-5318 may also exist in Coppermine Gallery, otherwise the error makes no sense to me.

idosha · April 05, 2019, 03:08:56 AM

The exploit involves execute arbitrary SQL commands via the rang parameter. I have no clue if it's applicable to the thumbnails.php file or if it's just a "dumb bot" trying random exploits on coppermine.

I assume if it wasn't for my Immunify 360 custom rule that the SQL injection might actually be successful?

Αndré · April 09, 2019, 12:53:45 PM

As far as I know Coppermine doesn't use "rang" as parameter anywhere. I'm also not aware of an exploit for cpg1.5.48.

coppermine-gallery.com/forum

News:

SQL Injection

idosha

phill104

idosha

idosha

Αndré