BugTraq
Meditate Web Content Editor 'username_input' SQL-Injection vulnerability Dec 05 2011 07:37PM
sschurtz t-online de
Advisory: Meditate Web Content Editor 'username_input' SQL-Injection vulnerability
Advisory ID: SSCHADV2011-039
Author: Stefan Schurtz
Affected Software: Successfully tested on Meditate 1.2
Vendor URL: http://www.arlomedia.com/
Vendor Status: fixed

==========================
Vulnerability Description
==========================

Meditate Web Content Editor is prone to a SQL-Injection vulnerability

==================
PoC-Exploit
==================

http://<target>/meditate_2.0/index.php?page=login_submit -> POST-Parameter 'username_input=[sql-injection]'

=========
Solution
=========

Upgrade to version 1.2.1

====================
Disclosure Timeline
====================

30-Nov-2011 - Secunia SVCRP (vuln (at) secunia (dot) com [email concealed])
02-Dec-2011 - fixed by vendor
05-Dec-2011 - release date of this security advisory

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://www.arlomedia.com/software/meditate/meditate/docs/release_notes.h
tml
http://www.rul3z.de/advisories/SSCHADV2011-039.txt
http://secunia.com/advisories/47010/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus