phpMyAdmin mirror served backdoored zip

Around September 22, 2012, the SourceForge mirror cdnetworks-kr-1 in Korea began serving a corrupted copy of phpMyAdmin-3.5.2.2-all-languages.zip. This was not a lookalike package or a third-party repost: users could arrive through the legitimate SourceForge download system and receive a backdoored archive for a database administration tool commonly exposed on web servers.

The changed files were precise. server_sync.php carried the backdoor, and js/cross_framing_protection.js was also modified. The delivery path was the mirror rotation, so the same download URL could be safe or unsafe depending on which mirror served it.

That mirror detail is the center of the incident. The phpMyAdmin project did not have to be replaced wholesale, and every mirror did not have to be bad. A single compromised mirror in a trusted distribution network was enough to put remote-code-execution code in front of users who believed they were fetching an official release.

phpMyAdmin's advisory, issued September 25 and updated September 26, identified server_sync.php as the backdoor and js/cross_framing_protection.js as another modified file. The backdoor allowed remote PHP code execution under the web server account. SourceForge removed the mirror from rotation on September 25, confirmed the compromise was limited to that mirror, and reported roughly 400 downloads of the corrupted file.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

User Impact

400

• PMASA-2012-5phpmyadmin.net
• phpMyAdmin corrupted copy on Korean mirror serversourceforge.net
• Backdoored PhpMyAdmin distributed at SourceForge sitethehackernews.com
• phpMyAdmin Compromised Source Package Backdoor Vulnerabilityhkcert.org
• phpMyAdmin update released after security compromisezdnet.com