XAMPP 1.6.1 - three security questions

Problems with the Windows version of XAMPP, questions, comments, and anything related.

XAMPP 1.6.1 - three security questions

Postby Dave_L » 05. May 2007 00:03

[XAMPP for WIndows 1.6.1]

I have three security questions.

1) I installed XAMPP in c:/xampp/ on WinXP, using the installer.

The XAMPP DIRECTORY PROTECTION (.htaccess) function of http://localhost/security/xamppsecurity.php creates .htaccess files in c:/xampp/htdocs/xampp/ and in c:/xampp/security/htdocs/.

It does not create an .htaccess file in c:/xampp/htdocs/, which would protect the whole web directory.

Is the intent to protect only the XAMPP control panel?

2) Also, is there a list of which non-alphanumeric characters are allowed in the pasword? For example, / and % aren't accepted, and I don't see the reason for that.

3) The blowfish passphrase in phpMyAdmin's config.inc.php is set to "xampp". Do you recommend changing that? Since it's not something that one needs to remember or type in, I usually set it to a string of 32 randomish characters.
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43

Good Questions

Postby Snoopy.pa30 » 30. May 2007 21:04

One more question...

What does the blowfish password do?

And for you Moderators out there, as Security is such an important issue, what about making up a few good sticky notes on the issue and creating a forum just for that.

I would offer to help, but I am just a user who need to know the answers.
Snoopy

"Still trying to shoot down that Red Baron"
Snoopy.pa30
 
Posts: 31
Joined: 02. March 2007 00:38
Location: Great White North

Postby Dave_L » 30. May 2007 21:24

As stated in config.inc.php, "The 'cookie' auth_type uses blowfish algorithm to encrypt the password."
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43

Thanks

Postby Snoopy.pa30 » 01. June 2007 02:52

Dave,

Thanks.

I should have looked in the file myself.

Sorry for being lazy, but thanks for the response.

Now we just need someone who can answer your original (intelligent) questions.
Snoopy

"Still trying to shoot down that Red Baron"
Snoopy.pa30
 
Posts: 31
Joined: 02. March 2007 00:38
Location: Great White North

Postby Codesmith » 02. June 2007 19:23

1) The intent is to keep visitors from being able to access the XAMPP configuration pages via a web browser. What else would their intent be?

If you want to create access restrictions to the pages you are hosting thats your responsibility.

In addition to authentication .htaccess files can also be created to make configuration changes local so a specific folder.

Google .htaccess for more information.

2) You will have to the apache documentation to see what characters are allowed.

If it turns out the XAMPP security page is being unnecessarily restrictive you can simply setup your own .htaccess file.

3) By all means change the passphrase. Really it should be part of XAMPP's security setup in my opinion.

The passphrase is used to encrypt your password when you are using phpmyadmin's cookie mode.

If someone has your cookie and knows the passphrase then they have your password.

Blowfish happens to require an unusually long time to generate new keys compared to other algorithms, making it more resistant to brute force dictionary attack.

However choosing a secure password or passphrase is always a good idea.

Personally I don't use phpmyadmin's cookie mode. I use http authentication.
Codesmith
 
Posts: 101
Joined: 31. March 2007 21:11

Hope add ZendOptimizer-3.2.8

Postby capelin » 04. June 2007 06:56

Hope add a new ZendOptimizer-3.2.8.
capelin
 
Posts: 2
Joined: 04. June 2007 06:50


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 69 guests