The latest stable version of phpMyAdmin — the popular, GUI-based MySQL database software — was released late last month, but thanks to a compromised download mirror, users running the newest version may still be vulnerable to hackers. At some point after September 22, an unknown attacker managed to insert a backdoor into one of the downloadable packages hosted on an official SourceForge download mirror.

Specifically, the attackers added a malicious file named server_sync.php to the all languages version of phpMyAdmin 3.5.2.2 stored on the cdnetworks-kr-1 server. This file is a serious exploit because hackers that know of (or discover) the backdoor via penetration testing (the exploit has been added to the Metasploit toolkit) can pass the web server code over standard HTTP POST requests. The attack is not limited to the MySQL databases under phpMyAdmin’s care either, so attackers could use this exploit to potentially take control of the entire web server.

Shady downloads are not a new development, but this particular case is notable because the compromised download came from a supposedly trustworthy source. SourceForge, a site that boasts 46 million users and hosts hundreds of thousands of software projects, has a certain inherent level of users’ trust due to its popularity — and it seems that the popularity also makes the site a giant target for attackers with malicious intent. Sites that are running the compromised code are potentially opened up to the attackers gaining access to customer data and generally being hijacked or having their pages openly defaced and deleted.

Thankfully, the modified package was discovered quickly (within days) and users were notified. According to SourceForge, the malicious phpMyAdmin package was downloaded a mere 400 times from the Korean download mirror. Further, the number of live websites using that backdoor-laden package should be smaller than the 400 total downloads as the exploit was discovered soon enough that the phpMyAdmin code should have still been in testing/development environments and not rolled out to live web servers yet. Therefore, the number of affected users should be relatively small. Even so, it is a particularly scary situation that could have been much worse had the backdoor gone unnoticed.

The fact that even a respected download site can be compromised certainly raises questions about what users can do to protect themselves. There is always a risk, especially when downloading from third party sites (official links or not), that the packages are not truly from the developer or have been modified in some way. One of the best solutions so far is for the developer to offer up a SHA1 or MD5 hash (aka checksum) of what the download should be. The developer creates a hash of the file, and shares both pieces of information with users. You can then create a hash of the file you downloaded yourself, and if it matches the developers’ hash you can be confident that you have an unmodified copy. If a file is modified in any way, it will have a completely different checksum when put through a hashing algorithm, and while it is not a perfect (or particularly easy) solution, taking advantage of the extra verification is one of the best ways to scrutinize the authenticity of a file.

In fact, the phpMyAdmin developers do utilize hashing to improve the security of their downloads. On the official site, they provide a MD5 checksum next to each download link. In addition to using a command line utility, you can verify a checksum on files using a download manager or browser extension in your operating system of choice.

The compromised phpMyAdmin fallout is minimal, but it does serve as a critical reminder to verify any downloads for authenticity if obtaining them from a third party site, and to only trust checksums provided directly from the software developers.

For more information, the Ubuntu community has put together a detailed guide on checking md5 checksums under Windows, Linux, and Mac OS X to keep yourself safe from malicious files.

[Image credit: wooyun.org]