Main Nav

Message from j-braden@tamu.edu

If you are running phpMyAdmin, and have recently performed an update, you might have a compromised version.  In short, any version that was downloaded from the SourceForge Mirror site – cdnetworks-kr-1 and contains file - server_sync.php. probably contains a backdoor. As this vulnerability is classified as EXTREMELY CRITICAL, I would suggest you verify that no such file exists in your installed version.

 

http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

Solution

Check your phpMyAdmin distribution and download it again from a trusted mirror if your copy contains a file named server_sync.php.

 

http://secunia.com/advisories/50703/  

Secunia Advisory SA50703

phpMyAdmin Compromised Source Package Backdoor Security Issue

Secunia Advisory               SA50703             

Release Date      2012-09-25        

                             

Criticality level Extremely critical

Description

A security issue has been reported in phpMyAdmin, which can be exploited by malicious people to compromise a vulnerable system.

 

The security issue is caused due to the distribution of a compromised phpMyAdmin source code package containing a backdoor, which can be exploited to e.g. execute arbitrary PHP code.

 

The compromised source file was distributed via the "cdnetworks-kr-1" SourceForge mirror with the phpMyAdmin-3.5.2.2-all-languages.zip download.

 

Solution

Download and reinstall phpMyAdmin.

Provided and/or discovered by

The vendor credits Tencent Security Response Center.

 

Original Advisory

http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

 

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden@tamu.edu

 

AttachmentSize
smime.p7s5.83 KB

Comments

Message from valdis.kletnieks@vt.edu

On Tue, 25 Sep 2012 20:56:14 -0000, Chuck Braden said: > If you are running phpMyAdmin, and have recently performed an update, you > might have a compromised version. In short, any version that was downloaded > from the SourceForge Mirror site - cdnetworks-kr-1 Has anybody established that's the *only* thing pwned on that SourceForge mirror?
Absolutely not. That is one of the major concerns. -Dan Basile
Message from j-braden@tamu.edu

Latest update seems to only indicate that only the cdnetworks-kr-1 mirror was affected. http://nakedsecurity.sophos.com/2012/09/27/sourceforge-serves-up-malware... ected-phpmyadmin-toolkit/ The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version: One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified. Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden@tamu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Basile, Daniel L. Sent: Tuesday, September 25, 2012 8:43 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Absolutely not. That is one of the major concerns. -Dan Basile
Message from j-braden@tamu.edu

Sorry, I guess I missunderstood the question. In answer to your question about other content on that mirror host, I have not seen anything else identified. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Braden Sent: Thursday, September 27, 2012 9:37 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Latest update seems to only indicate that only the cdnetworks-kr-1 mirror was affected. http://nakedsecurity.sophos.com/2012/09/27/sourceforge-serves-up-malware... ected-phpmyadmin-toolkit/ The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version: One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified. Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden@tamu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Basile, Daniel L. Sent: Tuesday, September 25, 2012 8:43 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Absolutely not. That is one of the major concerns. -Dan Basile