[VIM] CMS Made Simple eval injection is really an ADOdb Lite problem
Steven M. Christey
coley at mitre.org
Mon Sep 24 16:54:44 UTC 2007
Ref: MILW0RM:4442
Researcher: irk4z at yahoo.pl
lib/adodb_lite/adodb-perf-module.inc.php in CMS Made Simple is an
exact copy of adodb-perf-module.inc.php as distributed in ADOdb Lite
1.42 from here:
http://sourceforge.net/project/showfiles.php?group_id=140982
The first executable line contains:
eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
Note that adodb-perf.inc.php in the "regular" ADOdb doesn't have an
eval at all, so this appears to be specific to ADOdb Lite.
- Steve
More information about the VIM
mailing list