Omeka 2.2.1 Remote Code Execution Exploit

Title: Omeka 2.2.1 Remote Code Execution Exploit
Advisory ID: ZSL-2014-5194
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 24.07.2014
Omeka is a free, flexible, and open source web-publishing platform for the display of library, museum, archives, and scholarly collections and exhibitions. Its 'five-minute setup' makes launching an online exhibition as easy as launching a blog.
Omeka suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/items/add' script thru the 'file[0]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/files/original' directory after successfully disabling the file validation option (or adding something like 'application/x-php' into the allowed MIME types list) and bypassing the rewrite rule in the '.htaccess' file with '.php5' extension.
Omeka Team (CHNM GMU) -
Affected Version
2.2.1 and 2.2
Tested On
Kali Linux 3.7-trunk-686-pae
Apache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
Vendor Status
[16.07.2014] Vulnerability discovered.
[17.07.2014] Contact with the vendor with sent details.
[17.07.2014] Vendor confirms vulnerability.
[18.07.2014] Working with the vendor.
[23.07.2014] Vendor releases version 2.2.2 to address this issue.
[24.07.2014] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <>
High five to John and Patrick!
[24.07.2014] - Initial release
[25.07.2014] - Added reference [5], [6], [7], [8], [9], [10] and [11]
[26.07.2014] - Added reference [12]
[30.07.2014] - Added reference [13]
Zero Science Lab