On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1’ mirror in Korea. This mirror was immediately removed from rotation.
The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with exploit having occurred on or around September 22nd.
Through validation we have confirmed the corrupted file (a modified copy of phpMyAdmin-184.108.40.206-all-languages.zip) was served only via the ‘cdnetworks-kr-1’ mirror.
While we believe that only one file was modified on the ‘cdnetworks-kr-1’ mirror, we are conducting additional validation to confirm and will provide update once this process concludes. The mirror remains out of rotation.
Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs.
This corrupted copy of phpMyAdmin included a backdoor which permitted execution of arbitrary commands by the web server user. The notice from phpMyAdmin may be seen at:
It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy.
Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed.
SourceForge thanks the phpMyAdmin team and the Tencent security team for escalating this issue.
The SourceForge team