A compromised copy of the MySQL administration tool phpMyAdmin was being served up via a SourceForge mirror site based in Korea that has since been taken out of the rotation, officials said.
A compromised copy of the MySQL tool phpMyAdmin containing a backdoor was being served to users from a SourceForge mirror based in Korea.
SourceForge is a popular repository for open-source software. In a blog post, SourceForge explained how the malicious copy of phpMyAdmin--an administration tool for the MySQL open-source database--was downloaded roughly 400 times before the situation was discovered. Attackers could use the backdoor hidden in the phpMyAdmin tool to execute arbitrary commands.
"On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the 'cdnetworks-kr-1' mirror in Korea," according to SourceForge
. "This mirror was immediately removed from rotation. The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with [the] exploit having occurred on or around Sept. 22nd."
The phpMyAdmin project sent direct emails to users who downloaded the compromised copy that were identified through SourceForge logs, SourceForge noted.
The phpMyAdmin project classified the vulnerability--which was discovered by the Tencent Security Response Center--as critical, noting
that only the phpMyAdmin-126.96.36.199-all-languages.zip is known to be affected and users should check to see if their download contains a file named server_sync.php.
"It is our recommendation that downloaders of this corrupted file (which contains 'server_sync.php') assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy," according to SourceForge. "Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed."
One of the most troubling aspects of this is that the application that was targeted, phpMyAdmin, is one of the most popular applications for managing MySQL, said Dan Kuykendall, co-CEO and CTO of application security firm NT OBJECTives.
"With that exploit installed, it basically allows the bad guy full access to the person's database server," he said. "That's pretty scary."
He recommended organizations compare checksums with the original source to check the validity of a file downloaded from a mirror server.
"Nobody ever does that," he said. "Few organizations actually go through that step to confirm that the binary is valid according to the original source. And that's really where I think a lot of the pieces of the breakdown [are]."
Qualys CTO Wolfgang Kandek agreed that the process of manually checking the published MD5 checksum against the current MD5 hash of a downloaded file is "tedious" and often skipped.
"The best thing to do is to select a vendor that provides all software in a packaged and verified format," he told eWEEK. "If you have a vendor who doesn't support a certain software, then be sure not to skip your own verification, and double check the integrity of the software with the help of the original site. In this case, check with PHPmyadmin.net, which has the MD5 checksums listed."