SQL Injection SQL Injection
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

SQL Injection

Started by idosha, April 04, 2019, 10:46:34 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

idosha

I keep getting these emails from CSF regarding SQL injection on thumbnails.php - I have the newest version of coppermine gallery 1.5.48

Is this something I should be worried about, does it indicate a security hole in coppermine?

Time:     Thu Apr  4 15:38:49 2019 -0500
IP:       58.64.152.132 (HK/Hong Kong/-)
Failures: 10 (mod_security)
Interval: 300 seconds
Blocked:  Permanent Block [LF_TRIGGER]

Log entries:

[Thu Apr 04 15:38:42.813670 2019] [:error] [pid 126108:tid 47266698782464] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45)--||T:APACHE||PC:6662"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrUmDb-R0DorRXKe96OQAAAEA"]
[Thu Apr 04 15:38:43.336074 2019] [:error] [pid 128274:tid 47266811393792] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45)--||T:APACHE||PC:9763"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrU-kDohBGrzzvJtSadQAAANU"]
[Thu Apr 04 15:38:43.797690 2019] [:error] [pid 136302:tid 47266811393792] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45)--||T:APACHE||PC:9907"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrU43@k15E0xRmuJ4NYQAAAVU"]
[Thu Apr 04 15:38:44.236629 2019] [:error] [pid 128274:tid 47266800887552] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45)--||T:APACHE||PC:7231"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVPkDohBGrzzvJtSafQAAANA"]
[Thu Apr 04 15:38:44.703531 2019] [:error] [pid 126647:tid 47266698782464] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45)--||T:APACHE||PC:9410"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVLbtqEKLr3XRM62gsgAAAIA"]
[Thu Apr 04 15:38:45.181850 2019] [:error] [pid 136302:tid 47266707187456] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45)--||T:APACHE||PC:10380"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVY3@k15E0xRmuJ4NbgAAAUQ"]
[Thu Apr 04 15:38:45.666095 2019] [:error] [pid 128274:tid 47266711389952] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45)--||T:APACHE||PC:10800"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVfkDohBGrzzvJtSaiQAAAMY"]
[Thu Apr 04 15:38:46.139750 2019] [:error] [pid 136302:tid 47266711389952] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45)--||T:APACHE||PC:10177"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVo3@k15E0xRmuJ4NdAAAAUY"]
[Thu Apr 04 15:38:46.618764 2019] [:error] [pid 126108:tid 47266705086208] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45),char(45,120,57,45,81,45)--||T:APACHE||PC:7759"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrVmDb-R0DorRXKe96VgAAAEM"]
[Thu Apr 04 15:38:47.100731 2019] [:error] [pid 136302:tid 47266809292544] [client 58.64.152.132:0] [client 58.64.152.132] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:union(?:\\\\/\\\\*.*\\\\*\\\\/)?select)" at ARGS:album. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/123_Apps_OtherApps.conf"] [line "51"] [id "77220150"] [rev "4"] [msg "IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||MVN:ARGS:album||MV:5631111111111111'unionselectchar(45,120,49,45,81,45),char(45,120,50,45,81,45),char(45,120,51,45,81,45),char(45,120,52,45,81,45),char(45,120,53,45,81,45),char(45,120,54,45,81,45),char(45,120,55,45,81,45),char(45,120,56,45,81,45),char(45,120,57,45,81,45),char(45,120,49,48,45,81,45)--||T:APACHE||PC:9188"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2013-5318"] [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"] [unique_id "XKZrV43@k15E0xRmuJ4NfAAAAVQ"]

phill104

All those messages seem to refer to Ginkgo CMS rather than Coppermine.
It is a mistake to think you can solve any major problems just with potatoes.

idosha

Yes, it does say that, but further down it also lists the actual file causing it which is [hostname "robert-downeyjr.com"] [uri "/photos/thumbnails.php"]

My guess is maybe the vulnerability that exists in Ginkgo CMS 5.0 (CVE-2013-5318 may also exist in Coppermine Gallery, otherwise the error makes no sense to me.

idosha

The exploit involves execute arbitrary SQL commands via the rang parameter. I have no clue if it's applicable to the thumbnails.php file or if it's just a "dumb bot" trying random exploits on coppermine.

I assume if it wasn't for my Immunify 360 custom rule that the SQL injection might actually be successful?

ΑndrĂ©

As far as I know Coppermine doesn't use "rang" as parameter anywhere. I'm also not aware of an exploit for cpg1.5.48.