People in public can get into the Xampp login page!

Problems with the Windows version of XAMPP, questions, comments, and anything related.

People in public can get into the Xampp login page!

Postby Dixcuxx » 01. April 2009 05:14

Is this safety at all? So normally we can login xampp by going to localhost, then is the username and password input box come out. However, after I config apache to list my website public, pointing to the localhost from outside by direct going to my ip, would also go to that xampp login page too.

I tried and there isn't a limit of username and password trying, isn't this so not safe? People just can write a program to keep trying again and again for my username and password!

:(
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Izzy » 01. April 2009 06:28

Use a password strong enough to be impossible for a dictionary attack to succeed as with all passwords you create with Internet access.

Read the readme-en.txt file section:
A matter of security A MUST READ!
which explains the use of XAMPP for development not for a production environment.
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Re: People in public can get into the Xampp login page!

Postby Dixcuxx » 01. April 2009 06:44

Izzy wrote:Use a password strong enough to be impossible for a dictionary attack to succeed as with all passwords you create with Internet access.

Read the readme-en.txt file section:
A matter of security A MUST READ!
which explains the use of XAMPP for development not for a production environment.


This solution only works if there is a limit for a specific number of try. Let's say someone cannot try again once he tries five times or so on. But for xampp, the page can just continue to try forever without any limit or restriction. So if somoene seriously write a program and just let the program runs, the password with user name would eventually guess right, just depend on how long time.

How can Xampp have such a big security hole?
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Nobbie » 01. April 2009 08:19

Dixcuxx wrote:So if somoene seriously write a program and just let the program runs, the password with user name would eventually guess right, just depend on how long time.


Maybe in 10.000.000 Million Years (or more) someone accidently may succeed. Does this really threaten you?

Dixcuxx wrote:How can Xampp have such a big security hole?


I dont think, that there is a security hole, I think there is a knowledge hole. You should simply deny access to directories which you want to protect from outside access, instead of using user/password protection - there are many powerfull options in Apache to do so.

Did you read the "A Matter of security (A MUST READ!)" before you decided to go online with Xampp?
Nobbie
 
Posts: 8759
Joined: 09. March 2008 13:04

Re: People in public can get into the Xampp login page!

Postby Dixcuxx » 02. April 2009 04:34

Nobbie wrote:
Dixcuxx wrote:So if somoene seriously write a program and just let the program runs, the password with user name would eventually guess right, just depend on how long time.


Maybe in 10.000.000 Million Years (or more) someone accidently may succeed. Does this really threaten you?

Dixcuxx wrote:How can Xampp have such a big security hole?


I dont think, that there is a security hole, I think there is a knowledge hole. You should simply deny access to directories which you want to protect from outside access, instead of using user/password protection - there are many powerfull options in Apache to do so.

Did you read the "A Matter of security (A MUST READ!)" before you decided to go online with Xampp?


"A Matter of security (A MUST READ!)" hasn't mentioned how to solve this problem. I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Izzy » 02. April 2009 07:13

Allow from 127.0.0.1
Instead of
Allow from all
much like the Security folder in XAMPP.
There are several flavors of Allow and Deny available to you.
I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.
Reading is the best form of accumulating knowledge not uninformed opinion, RTFM.
http://httpd.apache.org/docs/2.2/mod/directives.html
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Re: People in public can get into the Xampp login page!

Postby Nobbie » 02. April 2009 07:34

Dixcuxx wrote:I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.


That's exactly what I meant - knowledge hole.
Nobbie
 
Posts: 8759
Joined: 09. March 2008 13:04

Re: People in public can get into the Xampp login page!

Postby Dixcuxx » 02. April 2009 07:57

Izzy wrote:Allow from 127.0.0.1
Instead of
Allow from all
much like the Security folder in XAMPP.
There are several flavors of Allow and Deny available to you.
I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.
Reading is the best form of accumulating knowledge not uninformed opinion, RTFM.
http://httpd.apache.org/docs/2.2/mod/directives.html


It is you need to RTFM since we are talking about just control one specific page instead of the whole folder. Base on the setting you just mentioned, then there is now way to make the website be public. I RTM, but you have to RTFM!
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Nobbie » 02. April 2009 09:11

>It is you need to RTFM since we are talking about just control one specific page instead of the whole folder

Still RTFM. See http://httpd.apache.org/docs/2.0/en/mod/core.html#files
Nobbie
 
Posts: 8759
Joined: 09. March 2008 13:04

Re: People in public can get into the Xampp login page!

Postby Dixcuxx » 02. April 2009 10:32

Nobbie wrote:>It is you need to RTFM since we are talking about just control one specific page instead of the whole folder

Still RTFM. See http://httpd.apache.org/docs/2.0/en/mod/core.html#files


Believe me, it doesn't talk about that.
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Wiedmann » 02. April 2009 10:43

to just deny this specific index.html

Which specific "index.html" did you mean?
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: People in public can get into the Xampp login page!

Postby Dixcuxx » 02. April 2009 11:06

Wiedmann wrote:
to just deny this specific index.html

Which specific "index.html" did you mean?


The page to login Xampp, whenever you access localhost with default setting of XAMPP, then would require user name and password for that XAMPP control page.
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Wiedmann » 02. April 2009 11:14

The page to login Xampp,

So you mean "index.php" (in \htdocs\xampp) and not "index.html"?
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: People in public can get into the Xampp login page!

Postby Dixcuxx » 03. April 2009 04:03

Wiedmann wrote:
The page to login Xampp,

So you mean "index.php" (in \htdocs\xampp) and not "index.html"?


Whatever it is, just the page that show up while visiting loclahost
My Community Project:
http://Dixcuxx.com
User avatar
Dixcuxx
 
Posts: 15
Joined: 23. February 2009 07:48
Location: Asia

Re: People in public can get into the Xampp login page!

Postby Wiedmann » 03. April 2009 07:48

just the page that show up while visiting loclahost

Hmm, in a fresh XAMPP installation "http://localhost/" (\xampp\htdocs) just redirect you to "http://localhost/xampp/" (\xampp\htdocs\xampp).
But the reason for having/using a XAMPP is, to put your own stuff in htdocs. Thus the page you can see with "http://localhost/" is yours.
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Next

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 28 guests