September 26, 2012, 12:28 PM — Unknown attackers compromised a download mirror server for the SourceForge software repository, rigging the installer package for phpMyAdmin, a popular Web-based MySQL database administration tool, with a backdoor.
SourceForge is a Web-based collaborative software development and repository system that hosts over 324,000 software development projects and serves 46 million users. The service is operated by Geeknet, a company based in Fairfax County, Virginia, U.S.
"One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor," the phpMyAdmin development team said Tuesday in a security advisory. "This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code."
The modified package was phpMyAdmin-126.96.36.199-all-languages.zip and, according to access logs from the compromised mirror server, it was downloaded by approximately 400 users.
An identifier of CVE-2012-5159 was assigned to the vulnerability introduced by the phpMyAdmin backdoor code. Security vendor Secunia rates the vulnerability as extremely critical because it provides system access and can be exploited remotely.
A module targeting the vulnerability was added to the Metasploit penetration testing framework on Tuesday.
The affected mirror server was based in Korea and was compromised on or around Sept. 22, the SourceForge team said Tuesday in a blog post. "The mirror provider has confirmed the attack vector has been identified and is limited to their mirror," the SourceForge team said.
The mirror server was removed from rotation after SourceForge learned of the compromise on Tuesday. However, the team is still investigating whether the phpMyAdmin archive was the only package modified by the attackers.
The mirror provider appears to be a company called CDNetworks that specializes in Internet content delivery. CDNetworks has been operating SourceForge mirror servers in the U.S. and Asia since 2009. A spokeswoman for CDNetworks in the U.S. said she was looking into the incident, but was not immediately able to provide more information about the apparent security breach.
It's not clear why the rogue package modification wasn't detected earlier since by definition mirror servers should mirror the content from a central repository. "Automated mirror validation occurs on an ongoing basis and SHA1/MD5 sums [file digital fingerprints] are provided for validation client-side," Rich Bowen, a SourceForge official, said Tuesday via email.