Backdoor in phpMyAdmin

    September 25, it became known that one of the Korean mirrors SourceForge (cdnetworks-kr-1) was compromised.

    A backdoor has been introduced into the phpMyAdmin-3.5.2.2-all-languages.zip archive located on this mirror.

    The server_sync.php file was added to the archive , containing the code:


    allowing the execution of arbitrary code.

    Also, the js / cross_framing_protection.js file was modified , the code was added to it:

    var icon ;
    icon = document.createElement("img");
    icon.src="http://logos.phpmyadmin-images.net/logo/logos.jpg";
    icon.width=0;
    icon.height=0;
    document.body.appendChild(icon);
    

    Allows an attacker to learn about infected copies.

    At the moment, the compromised mirror is excluded from rotation.

    The SourceForge logging team determined that there were about 400 people who downloaded this file. A warning was sent to all those who downloaded who were able to identify.

    An exploit for this vulnerability is already included in the Metasploit package.

    Sources:
    phpMyAdmin corrupted copy on Korean mirror server
    PMASA-2012-5
    Compromised SourceForge mirror
    Add exploit for phpmyadmin backdoor

    Also popular now: