Meditate Web Content Editor 1.2 SQL Injection

`Advisory: Meditate Web Content Editor 'username_input' SQL-Injection vulnerability  
Advisory ID: SSCHADV2011-039  
Author: Stefan Schurtz  
Affected Software: Successfully tested on Meditate 1.2  
Vendor URL: http://www.arlomedia.com/  
Vendor Status: fixed  
  
==========================  
Vulnerability Description  
==========================  
  
Meditate Web Content Editor is prone to a SQL-Injection vulnerability  
  
==================  
PoC-Exploit  
==================  
  
http://<target>/meditate_2.0/index.php?page=login_submit -> POST-Parameter 'username_input=[sql-injection]'  
  
=========  
Solution  
=========  
  
Upgrade to version 1.2.1  
  
====================  
Disclosure Timeline  
====================  
  
30-Nov-2011 - Secunia SVCRP ([email protected])  
02-Dec-2011 - fixed by vendor  
05-Dec-2011 - release date of this security advisory  
  
========  
Credits  
========  
  
Vulnerability found and advisory written by Stefan Schurtz.  
  
===========  
References  
===========  
  
http://www.arlomedia.com/software/meditate/meditate/docs/release_notes.html  
http://www.rul3z.de/advisories/SSCHADV2011-039.txt  
http://secunia.com/advisories/47010/  
`