Meditate Web Content Editor ‘username_input’ – SQL Injection

• Exploit Database
• 127 阅读

• 作者： Stefan Schurtz
  日期： 2011-12-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18202/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

  Advisory: Meditate Web Content Editor &apos;username_input&apos; SQL-Injection vulnerability Advisory ID: SSCHADV2011-039 Author: Stefan Schurtz Affected Software: Successfully tested on Meditate 1.2 Vendor URL: http://www.arlomedia.com/ Vendor Status: fixed   ========================== Vulnerability Description ==========================   Meditate Web Content Editor is prone to a SQL-Injection vulnerability   ================== PoC-Exploit ==================   http://<target>/meditate_2.0/index.php?page=login_submit -> POST-Parameter &apos;username_input=[sql-injection]&apos;   ========= Solution =========   Upgrade to version 1.2.1   ==================== Disclosure Timeline ====================   30-Nov-2011 - Secunia SVCRP (vuln@secunia.com) 02-Dec-2011 - fixed by vendor 05-Dec-2011 - release date of this security advisory 05-Dec-2011 - post on BugTraq   ======== Credits ========   Vulnerability found and advisory written by Stefan Schurtz.   =========== References ===========   http://www.arlomedia.com/software/meditate/meditate/docs/release_notes.html http://www.rul3z.de/advisories/SSCHADV2011-039.txt http://secunia.com/advisories/47010/