Omeka 2.2 CSRF And Stored XSS Vulnerability
Title: Omeka 2.2 CSRF And Stored XSS Vulnerability
Advisory ID: ZSL-2014-5193
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 17.07.2014
Apache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
[16.07.2014] Contact with the vendor.
[16.07.2014] Vendor responds asking for details.
[16.07.2014] Sent details to the vendor.
[16.07.2014] Vendor confirms vulnerabilities.
[17.07.2014] Vendor releases patched version 2.2.1 to address these issues.
[17.07.2014] Coordinated public security advisory released.
[2] http://omeka.org/codex/Release_Notes_for_2.2.1
[3] https://github.com/omeka/Omeka/compare/24896ce...v2.2.1
[4] http://www.exploit-db.com/exploits/34100/
[5] http://cxsecurity.com/issue/WLB-2014070097
[6] http://packetstormsecurity.com/files/127523
[7] http://www.securityfocus.com/bid/68707
[8] http://osvdb.org/show/osvdb/109263
[9] http://osvdb.org/show/osvdb/109264
[10] http://xforce.iss.net/xforce/xfdb/94689
[11] http://xforce.iss.net/xforce/xfdb/94690
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-5100
[13] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5100
[18.07.2014] - Added reference [4], [5], [6], [7], [8] and [9]
[19.07.2014] - Added reference [10] and [11]
[27.07.2014] - Added reference [12] and [13]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5193
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 17.07.2014
Summary
Omeka is a free, flexible, and open source web-publishing platform for the display of library, museum, archives, and scholarly collections and exhibitions. Its 'five-minute setup' makes launching an online exhibition as easy as launching a blog.Description
Omeka version 2.2 suffers from a cross-site request forgery and a stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to the 'api_key_label' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Omeka Team (CHNM GMU) - http://www.omeka.orgAffected Version
2.2Tested On
Kali Linux 3.7-trunk-686-paeApache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
Vendor Status
[16.07.2014] Vulnerabilities discovered.[16.07.2014] Contact with the vendor.
[16.07.2014] Vendor responds asking for details.
[16.07.2014] Sent details to the vendor.
[16.07.2014] Vendor confirms vulnerabilities.
[17.07.2014] Vendor releases patched version 2.2.1 to address these issues.
[17.07.2014] Coordinated public security advisory released.
PoC
omeka_csrfxss.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://omeka.org/blog/2014/07/16/omeka-2-2-1-security-update-released/[2] http://omeka.org/codex/Release_Notes_for_2.2.1
[3] https://github.com/omeka/Omeka/compare/24896ce...v2.2.1
[4] http://www.exploit-db.com/exploits/34100/
[5] http://cxsecurity.com/issue/WLB-2014070097
[6] http://packetstormsecurity.com/files/127523
[7] http://www.securityfocus.com/bid/68707
[8] http://osvdb.org/show/osvdb/109263
[9] http://osvdb.org/show/osvdb/109264
[10] http://xforce.iss.net/xforce/xfdb/94689
[11] http://xforce.iss.net/xforce/xfdb/94690
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-5100
[13] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5100
Changelog
[17.07.2014] - Initial release[18.07.2014] - Added reference [4], [5], [6], [7], [8] and [9]
[19.07.2014] - Added reference [10] and [11]
[27.07.2014] - Added reference [12] and [13]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk