← Advisories

Omeka 2.2.1 Remote Code Execution Exploit

High

Advisory ID

ZSL-2014-5194

Release Date

24 July 2014

Vendor

Omeka Team (CHNM GMU) - http://www.omeka.org

Affected Version

2.2.1 and 2.2

CVE

N/A

Tested On

Kali Linux 3.7-trunk-686-pae, Apache/2.2.22 (Debian), PHP 5.4.4-13(apache2handler), MySQL 5.5.28

Summary

Omeka is a free, flexible, and open source web-publishing platform for the display of library, museum, archives, and scholarly collections and exhibitions. Its 'five-minute setup' makes launching an online exhibition as easy as launching a blog.

Description

Omeka suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/items/add' script thru the 'file[0]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/files/original' directory after successfully disabling the file validation option (or adding something like 'application/x-php' into the allowed MIME types list) and bypassing the rewrite rule in the '.htaccess' file with '.php5' extension.

Proof of Concept

omeka_rce.pyTXT

Disclosure Timeline

16.07.2014Vulnerability discovered.

17.07.2014Contact with the vendor with sent details.

17.07.2014Vendor confirms vulnerability.

18.07.2014Working with the vendor.

23.07.2014Vendor releases version 2.2.2 to address this issue.

24.07.2014Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic
High five to John and Patrick!

References