Apache Friends Support Forum

[XAMPP for WIndows 1.6.1]

I have three security questions.

1) I installed XAMPP in c:/xampp/ on WinXP, using the installer.

The XAMPP DIRECTORY PROTECTION (.htaccess) function of http://localhost/security/xamppsecurity.php creates .htaccess files in c:/xampp/htdocs/xampp/ and in c:/xampp/security/htdocs/.

It does not create an .htaccess file in c:/xampp/htdocs/, which would protect the whole web directory.

Is the intent to protect only the XAMPP control panel?

2) Also, is there a list of which non-alphanumeric characters are allowed in the pasword? For example, / and % aren't accepted, and I don't see the reason for that.

3) The blowfish passphrase in phpMyAdmin's config.inc.php is set to "xampp". Do you recommend changing that? Since it's not something that one needs to remember or type in, I usually set it to a string of 32 randomish characters.

One more question...

What does the blowfish password do?

And for you Moderators out there, as Security is such an important issue, what about making up a few good sticky notes on the issue and creating a forum just for that.

I would offer to help, but I am just a user who need to know the answers.

As stated in config.inc.php, "The 'cookie' auth_type uses blowfish algorithm to encrypt the password."

Dave,

Thanks.

I should have looked in the file myself.

Sorry for being lazy, but thanks for the response.

Now we just need someone who can answer your original (intelligent) questions.

1) The intent is to keep visitors from being able to access the XAMPP configuration pages via a web browser. What else would their intent be?

If you want to create access restrictions to the pages you are hosting thats your responsibility.

In addition to authentication .htaccess files can also be created to make configuration changes local so a specific folder.

Google .htaccess for more information.

2) You will have to the apache documentation to see what characters are allowed.

If it turns out the XAMPP security page is being unnecessarily restrictive you can simply setup your own .htaccess file.

3) By all means change the passphrase. Really it should be part of XAMPP's security setup in my opinion.

The passphrase is used to encrypt your password when you are using phpmyadmin's cookie mode.

If someone has your cookie and knows the passphrase then they have your password.

Blowfish happens to require an unusually long time to generate new keys compared to other algorithms, making it more resistant to brute force dictionary attack.

However choosing a secure password or passphrase is always a good idea.

Personally I don't use phpmyadmin's cookie mode. I use http authentication.

Hope add a new ZendOptimizer-3.2.8.