← Advisories

Omeka 2.2 CSRF And Stored XSS Vulnerability

Medium
Advisory ID
ZSL-2014-5193
Release Date
17 July 2014
Vendor
Omeka Team (CHNM GMU) - http://www.omeka.org
Affected Version
2.2
CVE
CVE-2014-5100
Tested On
Kali Linux 3.7-trunk-686-pae, Apache/2.2.22 (Debian), PHP 5.4.4-13(apache2handler), MySQL 5.5.28
Summary

Omeka is a free, flexible, and open source web-publishing platform for the display of library, museum, archives, and scholarly collections and exhibitions. Its 'five-minute setup' makes launching an online exhibition as easy as launching a blog.

Description

Omeka version 2.2 suffers from a cross-site request forgery and a stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to the 'api_key_label' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
omeka_csrfxss.htmlTXT
Disclosure Timeline
16.07.2014Vulnerabilities discovered.
16.07.2014Contact with the vendor.
16.07.2014Vendor responds asking for details.
16.07.2014Sent details to the vendor.
16.07.2014Vendor confirms vulnerabilities.
17.07.2014Vendor releases patched version 2.2.1 to address these issues.
17.07.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://omeka.org/blog/2014/07/16/omeka-2-2-1-security-update-released/
[2]http://omeka.org/codex/Release_Notes_for_2.2.1
[3]https://github.com/omeka/Omeka/compare/24896ce...v2.2.1
[4]http://www.exploit-db.com/exploits/34100/
[5]http://cxsecurity.com/issue/WLB-2014070097
[6]http://packetstormsecurity.com/files/127523
[7]http://www.securityfocus.com/bid/68707
[8]http://osvdb.org/show/osvdb/109263
[9]http://osvdb.org/show/osvdb/109264
[10]http://xforce.iss.net/xforce/xfdb/94689
[11]http://xforce.iss.net/xforce/xfdb/94690
[12]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-5100
[13]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5100
Changelog
17.07.2014Initial release
18.07.2014Added reference [4], [5], [6], [7], [8] and [9]
19.07.2014Added reference [10] and [11]
27.07.2014Added reference [12] and [13]