Meditate Web Content Editor 'username_input' SQL-Injection vulnerability



EKU-ID: 1388 CVE: OSVDB-ID:
Author: Stefan Schurtz Published: 2011-12-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


Advisory:               Meditate Web Content Editor 'username_input' SQL-Injection vulnerability
Author:                 Stefan Schurtz
Affected Software:      Successfully tested on Meditate 1.2
Vendor URL:             http://www.arlomedia.com/
Vendor Status:          fixed
 
==========================
Vulnerability Description
==========================
 
Meditate Web Content Editor is prone to a SQL-Injection vulnerability
 
==================
PoC-Exploit
==================
 
http://<target>/meditate_2.0/index.php?page=login_submit -> POST-Parameter 'username_input=[sql-injection]'
 
=========
Solution
=========
 
Upgrade to version 1.2.1
 
====================
Disclosure Timeline
====================
 
30-Nov-2011 - Secunia SVCRP (vuln@secunia.com)
02-Dec-2011 - fixed by vendor
05-Dec-2011 - release date of this security advisory
05-Dec-2011 - post on BugTraq