Omeka 2.2.1 Remote Code Execution Exploit
Title: Omeka 2.2.1 Remote Code Execution Exploit
Advisory ID: ZSL-2014-5194
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 24.07.2014
Apache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
[17.07.2014] Contact with the vendor with sent details.
[17.07.2014] Vendor confirms vulnerability.
[18.07.2014] Working with the vendor.
[23.07.2014] Vendor releases version 2.2.2 to address this issue.
[24.07.2014] Coordinated public security advisory released.
High five to John and Patrick!
[2] http://omeka.org/codex/Release_Notes_for_2.2.2
[3] https://github.com/omeka/Omeka/compare/24896ce...v2.2.2
[4] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php
[5] http://www.exploit-db.com/exploits/34160/
[6] http://osvdb.org/show/osvdb/109507
[7] http://www.securityfocus.com/bid/68892
[8] http://packetstormsecurity.com/files/127609
[9] http://cxsecurity.com/issue/WLB-2014070132
[10] http://1337day.com/exploit/22473
[11] http://www.vfocus.net/art/20140725/11648.html
[12] http://xforce.iss.net/xforce/xfdb/94835
[13] http://sebug.net/vuldb/ssvid-87153
[25.07.2014] - Added reference [5], [6], [7], [8], [9], [10] and [11]
[26.07.2014] - Added reference [12]
[30.07.2014] - Added reference [13]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5194
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 24.07.2014
Summary
Omeka is a free, flexible, and open source web-publishing platform for the display of library, museum, archives, and scholarly collections and exhibitions. Its 'five-minute setup' makes launching an online exhibition as easy as launching a blog.Description
Omeka suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/items/add' script thru the 'file[0]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/files/original' directory after successfully disabling the file validation option (or adding something like 'application/x-php' into the allowed MIME types list) and bypassing the rewrite rule in the '.htaccess' file with '.php5' extension.Vendor
Omeka Team (CHNM GMU) - http://www.omeka.orgAffected Version
2.2.1 and 2.2Tested On
Kali Linux 3.7-trunk-686-paeApache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
Vendor Status
[16.07.2014] Vulnerability discovered.[17.07.2014] Contact with the vendor with sent details.
[17.07.2014] Vendor confirms vulnerability.
[18.07.2014] Working with the vendor.
[23.07.2014] Vendor releases version 2.2.2 to address this issue.
[24.07.2014] Coordinated public security advisory released.
PoC
omeka_rce.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>High five to John and Patrick!
References
[1] http://omeka.org/blog/2014/07/23/omeka-2-2-2-is-released/[2] http://omeka.org/codex/Release_Notes_for_2.2.2
[3] https://github.com/omeka/Omeka/compare/24896ce...v2.2.2
[4] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php
[5] http://www.exploit-db.com/exploits/34160/
[6] http://osvdb.org/show/osvdb/109507
[7] http://www.securityfocus.com/bid/68892
[8] http://packetstormsecurity.com/files/127609
[9] http://cxsecurity.com/issue/WLB-2014070132
[10] http://1337day.com/exploit/22473
[11] http://www.vfocus.net/art/20140725/11648.html
[12] http://xforce.iss.net/xforce/xfdb/94835
[13] http://sebug.net/vuldb/ssvid-87153
Changelog
[24.07.2014] - Initial release[25.07.2014] - Added reference [5], [6], [7], [8], [9], [10] and [11]
[26.07.2014] - Added reference [12]
[30.07.2014] - Added reference [13]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk