[VIM] CMS Made Simple eval injection is really an ADOdb Lite problem

Steven M. Christey coley at mitre.org
Mon Sep 24 16:54:44 UTC 2007

Ref: MILW0RM:4442
Researcher: irk4z at yahoo.pl

lib/adodb_lite/adodb-perf-module.inc.php in CMS Made Simple is an
exact copy of adodb-perf-module.inc.php as distributed in ADOdb Lite
1.42 from here:


The first executable line contains:

  eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');

Note that adodb-perf.inc.php in the "regular" ADOdb doesn't have an
eval at all, so this appears to be specific to ADOdb Lite.

- Steve

More information about the VIM mailing list