Apache Friends Support Forum

[Dixcuxx]

Is this safety at all? So normally we can login xampp by going to localhost, then is the username and password input box come out. However, after I config apache to list my website public, pointing to the localhost from outside by direct going to my ip, would also go to that xampp login page too.

I tried and there isn't a limit of username and password trying, isn't this so not safe? People just can write a program to keep trying again and again for my username and password!

[Izzy]

Use a password strong enough to be impossible for a dictionary attack to succeed as with all passwords you create with Internet access.

Read the readme-en.txt file section:
A matter of security A MUST READ!
which explains the use of XAMPP for development not for a production environment.

[Dixcuxx]

Use a password strong enough to be impossible for a dictionary attack to succeed as with all passwords you create with Internet access.

Read the readme-en.txt file section:
A matter of security A MUST READ!
which explains the use of XAMPP for development not for a production environment.

This solution only works if there is a limit for a specific number of try. Let's say someone cannot try again once he tries five times or so on. But for xampp, the page can just continue to try forever without any limit or restriction. So if somoene seriously write a program and just let the program runs, the password with user name would eventually guess right, just depend on how long time.

How can Xampp have such a big security hole?

[Nobbie]

So if somoene seriously write a program and just let the program runs, the password with user name would eventually guess right, just depend on how long time.

Maybe in 10.000.000 Million Years (or more) someone accidently may succeed. Does this really threaten you?

How can Xampp have such a big security hole?

I dont think, that there is a security hole, I think there is a knowledge hole. You should simply deny access to directories which you want to protect from outside access, instead of using user/password protection - there are many powerfull options in Apache to do so.

Did you read the "A Matter of security (A MUST READ!)" before you decided to go online with Xampp?

[Dixcuxx]

So if somoene seriously write a program and just let the program runs, the password with user name would eventually guess right, just depend on how long time.

Maybe in 10.000.000 Million Years (or more) someone accidently may succeed. Does this really threaten you?

How can Xampp have such a big security hole?

I dont think, that there is a security hole, I think there is a knowledge hole. You should simply deny access to directories which you want to protect from outside access, instead of using user/password protection - there are many powerfull options in Apache to do so.

Did you read the "A Matter of security (A MUST READ!)" before you decided to go online with Xampp?

"A Matter of security (A MUST READ!)" hasn't mentioned how to solve this problem. I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.

[Izzy]

Allow from 127.0.0.1
Instead of
Allow from all
much like the Security folder in XAMPP.
There are several flavors of Allow and Deny available to you.

I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.

Reading is the best form of accumulating knowledge not uninformed opinion, RTFM.
http://httpd.apache.org/docs/2.2/mod/directives.html

[Nobbie]

I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.

That's exactly what I meant - knowledge hole.

[Dixcuxx]

Allow from 127.0.0.1
Instead of
Allow from all
much like the Security folder in XAMPP.
There are several flavors of Allow and Deny available to you.

I didn't know there is opinion in Apache or Windows to just deny this specific index.html page from outside world, and I doubt if there is such an option.

Reading is the best form of accumulating knowledge not uninformed opinion, RTFM.
http://httpd.apache.org/docs/2.2/mod/directives.html

It is you need to RTFM since we are talking about just control one specific page instead of the whole folder. Base on the setting you just mentioned, then there is now way to make the website be public. I RTM, but you have to RTFM!

[Nobbie]

>It is you need to RTFM since we are talking about just control one specific page instead of the whole folder

Still RTFM. See http://httpd.apache.org/docs/2.0/en/mod/core.html#files

[Dixcuxx]

>It is you need to RTFM since we are talking about just control one specific page instead of the whole folder

Still RTFM. See http://httpd.apache.org/docs/2.0/en/mod/core.html#files

Believe me, it doesn't talk about that.

[Wiedmann]

to just deny this specific index.html

Which specific "index.html" did you mean?

[Dixcuxx]

to just deny this specific index.html

Which specific "index.html" did you mean?

The page to login Xampp, whenever you access localhost with default setting of XAMPP, then would require user name and password for that XAMPP control page.

[Wiedmann]

The page to login Xampp,

So you mean "index.php" (in \htdocs\xampp) and not "index.html"?

[Dixcuxx]

The page to login Xampp,

So you mean "index.php" (in \htdocs\xampp) and not "index.html"?

Whatever it is, just the page that show up while visiting loclahost

[Wiedmann]

just the page that show up while visiting loclahost

Hmm, in a fresh XAMPP installation "http://localhost/" (\xampp\htdocs) just redirect you to "http://localhost/xampp/" (\xampp\htdocs\xampp).
But the reason for having/using a XAMPP is, to put your own stuff in htdocs. Thus the page you can see with "http://localhost/" is yours.