Main Nav

Message from j-braden@tamu.edu

If you are running phpMyAdmin, and have recently performed an update, you might have a compromised version.  In short, any version that was downloaded from the SourceForge Mirror site – cdnetworks-kr-1 and contains file - server_sync.php. probably contains a backdoor. As this vulnerability is classified as EXTREMELY CRITICAL, I would suggest you verify that no such file exists in your installed version.

 

http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

Solution

Check your phpMyAdmin distribution and download it again from a trusted mirror if your copy contains a file named server_sync.php.

 

http://secunia.com/advisories/50703/  

Secunia Advisory SA50703

phpMyAdmin Compromised Source Package Backdoor Security Issue

Secunia Advisory               SA50703             

Release Date      2012-09-25        

                             

Criticality level Extremely critical

Description

A security issue has been reported in phpMyAdmin, which can be exploited by malicious people to compromise a vulnerable system.

 

The security issue is caused due to the distribution of a compromised phpMyAdmin source code package containing a backdoor, which can be exploited to e.g. execute arbitrary PHP code.

 

The compromised source file was distributed via the "cdnetworks-kr-1" SourceForge mirror with the phpMyAdmin-3.5.2.2-all-languages.zip download.

 

Solution

Download and reinstall phpMyAdmin.

Provided and/or discovered by

The vendor credits Tencent Security Response Center.

 

Original Advisory

http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

 

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden@tamu.edu

 

AttachmentSize
smime.p7s5.83 KB

Comments

Message from valdis.kletnieks@vt.edu

On Tue, 25 Sep 2012 20:56:14 -0000, Chuck Braden said: > If you are running phpMyAdmin, and have recently performed an update, you > might have a compromised version. In short, any version that was downloaded > from the SourceForge Mirror site - cdnetworks-kr-1 Has anybody established that's the *only* thing pwned on that SourceForge mirror?
Absolutely not. That is one of the major concerns. -Dan Basile
Message from j-braden@tamu.edu

Latest update seems to only indicate that only the cdnetworks-kr-1 mirror was affected. http://nakedsecurity.sophos.com/2012/09/27/sourceforge-serves-up-malware... ected-phpmyadmin-toolkit/ The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version: One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified. Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden@tamu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Basile, Daniel L. Sent: Tuesday, September 25, 2012 8:43 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Absolutely not. That is one of the major concerns. -Dan Basile
Message from j-braden@tamu.edu

Sorry, I guess I missunderstood the question. In answer to your question about other content on that mirror host, I have not seen anything else identified. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Braden Sent: Thursday, September 27, 2012 9:37 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Latest update seems to only indicate that only the cdnetworks-kr-1 mirror was affected. http://nakedsecurity.sophos.com/2012/09/27/sourceforge-serves-up-malware... ected-phpmyadmin-toolkit/ The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version: One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified. Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden@tamu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Basile, Daniel L. Sent: Tuesday, September 25, 2012 8:43 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Absolutely not. That is one of the major concerns. -Dan Basile
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.