header-logo
Suggest Exploit
vendor:
Meditate Web Content Editor
by:
Stefan Schurtz
7.5
CVSS
HIGH
SQL-Injection
89
CWE
Product Name: Meditate Web Content Editor
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: YES
Related CWE: N/A
CPE: a:arlomedia:meditate
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

Meditate Web Content Editor ‘username_input’ SQL-Injection vulnerability

Meditate Web Content Editor is prone to a SQL-Injection vulnerability. An attacker can exploit this vulnerability by sending a malicious POST request to the target with the 'username_input' parameter set to a malicious SQL injection string.

Mitigation:

Upgrade to version 1.2.1
Source

Exploit-DB raw data:

Advisory:              	Meditate Web Content Editor 'username_input' SQL-Injection vulnerability
Advisory ID:           	SSCHADV2011-039
Author:                	Stefan Schurtz
Affected Software:  	Successfully tested on Meditate 1.2
Vendor URL:          	http://www.arlomedia.com/
Vendor Status:       	fixed

==========================
Vulnerability Description
==========================

Meditate Web Content Editor is prone to a SQL-Injection vulnerability

==================
PoC-Exploit
==================

http://<target>/meditate_2.0/index.php?page=login_submit -> POST-Parameter 'username_input=[sql-injection]'

=========
Solution
=========

Upgrade to version 1.2.1

====================
Disclosure Timeline
====================

30-Nov-2011 - Secunia SVCRP (vuln@secunia.com)
02-Dec-2011 - fixed by vendor
05-Dec-2011 - release date of this security advisory
05-Dec-2011 - post on BugTraq

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://www.arlomedia.com/software/meditate/meditate/docs/release_notes.html
http://www.rul3z.de/advisories/SSCHADV2011-039.txt
http://secunia.com/advisories/47010/

Navigation

Suggest Exploit

Services By CQR