Developers of phpMyAdmin warned users they may be running a
malicious version of the open-source software package after discovering
backdoor code was snuck into a package being distributed over the widely
used SourceForge repository.
The backdoor contains code that allows remote attackers to take
control of the underlying server running the modified phpMyAdmin, which
is a Web-based tool for managing MySQL databases. The PHP script is
found in a file named server_sync.php, and it reads PHP code embedded in
standard POST Web requests and then executes it. That allows anyone who
knows the backdoor is present to execute code of his choice. HD Moore,
CSO of Rapid7 and chief architect of the Metasploit exploit package for
penetration testers and hackers, told Ars a module has already been added that tests for the vulnerability.
The backdoor is concerning because it was distributed on one of the official mirrors for SourceForge,
which hosts more than 324,000 open-source projects, serves more than 46
million consumers, and handles more than four million downloads each
day. SourceForge officials are still investigating the breach, so
crucial questions remain unanswered. It's still unclear, for instance,
if the compromised server hosted other maliciously modified software
packages, if other official SourceForge mirror sites were also affected,
and if the central repository that feeds these mirror sites might also
have been attacked.
"If that one mirror was compromised, nearly every SourceForge package
on that mirror could have been backdoored, too," Moore said. "So you're
looking at not just phpMyAdmin, but 12,000 other projects. If that one
mirror was compromised and other projects were modified this isn't just
1,000 people. This is up to a couple hundred thousand."
An advisory posted Tuesday
on phpMyAdmin said: "One of the SourceForge.net mirrors, namely
cdnetworks-kr-1, was being used to distribute a modified archive of
phpMyAdmin, which includes a backdoor. This backdoor is located in file
server_sync.php and allows an attacker to remotely execute PHP code.
Another file, js/cross_framing_protection.js, has also been modified."
phpMyAdmin officials didn't respond to e-mails seeking to learn how long
the backdoored version had been available and how many people have
downloaded it.
Update: In a blog post,
SourceForge officials said they believe only the affected
phpMyAdmin-3.5.2.2-all-languages.zip package was the only modified file
on the cdnetworks mirror site, but they are continuing to investigate to
make sure. Logs indicate that about 400 people downloaded the malicious
package. The provider of the Korea-based mirror has confirmed the
breach, which is believe to have happened around September 22, and
indicated it was limited to that single mirror site. The machine has
been taken out of rotation.
"Downloaders are at risk only if a corrupt copy of this software was
obtained, installed on a server, and serving was enabled," the
SourceForge post said. "Examination of web logs and other server data
should help confirm whether this backdoor was accessed."
It's not the first time a widely used open-source project has been
hit by a breach affecting the security of its many downstream users. In
June of last year, WordPress required all account holders on
WordPress.org to change their passwords following the discovery that hackers contaminated it with malicious software.
Three months earlier, maintainers of the PHP programming language spent
several days scouring their source code for malicious modifications
after discovering the security of one of their servers had been breached.
A three-day security breach in 2010 on ProFTP
caused users who downloaded the package during that time to be infected
with a malicious backdoor. The main source-code repository for the Free
Software Foundation was briefly shuttered that same year following the
discovery of an attack that compromised some of the website's account passwords
and may have allowed unfettered administrative access. And last August,
multiple servers used to maintain and distribute the Linux operating
system were infected with malware that gained root system access, although maintainers said the repository was unaffected.