phpMyAdmin corrupted copy on Korean mirror server

On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation.

The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with exploit having occurred on or around September 22nd.

Through validation we have confirmed the corrupted file (a modified copy of phpMyAdmin-3.5.2.2-all-languages.zip) was served only via the ‘cdnetworks-kr-1′ mirror.

While we believe that only one file was modified on the ‘cdnetworks-kr-1′ mirror, we are conducting additional validation to confirm and will provide update once this process concludes. The mirror remains out of rotation.

Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs.

This corrupted copy of phpMyAdmin included a backdoor which permitted execution of arbitrary commands by the web server user. The notice from phpMyAdmin may be seen at:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy.

Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed.

SourceForge thanks the phpMyAdmin team and the Tencent security team for escalating this issue.

Thank you,
The SourceForge team

8 comments
BuyingMedia LLC
BuyingMedia LLC

Very scary thought as a php user myself, would hate to deal with the aftermath of something like that!

dspe
dspe

@mojoLyon quelle idee d avoir des phpmyadmins aussi :D

mojoLyon
mojoLyon

@dspe Tout a fait ;) Enfin la c'est via un mirroir en Korée, moins d'impact en Europe mais vaut mieux prevenir que guérir :)

gslin
gslin

@jnlin 噴飯了

jsalsman
jsalsman

Perhaps automated mirror validation is called for?

Jacob Moorman
Jacob Moorman

 @jsalsman Periodic validation of all mirrors is already implemented (even before this event).

duhderp
duhderp

 @Jacob Moorman  @jsalsman And so obviously isn't good enough? Perhaps any time the files on a mirror change they should be verified against a known good working copy?