Worm quickly exploits default installation

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Worm quickly exploits default installation

Postby beckr » 04. July 2009 21:34

Hi all,
XAMPP for Windows in its default configuration, installed on a public server, is quickly exploited by a current worm as we just learned the hard way.
The problem is that Apache is configured to listen on all ports, which allows everyone to log in through phpMyAdmin without a password. Because MySQL has commands to interact with the file system *and* it has full access to it, someone can place a rogue script on the server, execute it, and take full control over the server.
Although the documentation mentions that XAMPP is not for production use and what should be done to secure the configuration, this is not emphasized anywhere - I bet 90% of users won't know about this unless you add in a big warning screen.
The default configuration should really be a bit more tighter to prevent this from happening - Apache could be bound to localhost only, or phpMyAdmin access could be limited to localhost only, or with an auto-generated password that is displayed in the installer. The security console could then allow to remove (not add) this functionality. Just my 2 cents.

Cheers,

Christian
beckr
 
Posts: 1
Joined: 04. July 2009 20:45

Re: Worm quickly exploits default installation

Postby roman2 » 05. July 2009 02:55

Apache could be bound to localhost only

Or local subnet (Windows Vista built-in firewall has this option).
roman2
 
Posts: 17
Joined: 03. July 2009 15:56
Operating System: 32-bit Windows 7

Re: Worm quickly exploits default installation

Postby XamppHacker » 26. July 2009 08:20

beckr wrote:Hi all,
XAMPP for Windows in its default configuration, installed on a public server, is quickly exploited...


Yes, very easily. This thing is abysmal when it comes to security.

I installed Xampp in a virtual machine today, then went about hacking it. This is way,way way too easy. The default config lets you jump into phpMyAdmin with no password...with root priv. It's trivial from there to use MySQL to create a .PHP script that lets you run just about any Windows command you want from the browser. Xampp happily runs all these commands, and spits the output to the browser: dir; dir ..\..\windows; dir ..\..\"documents and settings"\luser; ipconfig; hostname; tasklist; netstat; And on and on and on. And yes...shutdown -s works too. Good F***n gawd. This is a hackers wet dream.

I know the docs say 'don't put this on a production server', at least not until you secure it.

Are users listening? Do a Google search. No....they are not.
You don't have to Google very hard to find lots of wide open Xampp sites. (By wide open I mean I easily clicked myself into root user in MySQL. I didn't test anything beyond that, but I doubt I would fail at this point).

We could just say...stupid Lusers. The Xampp docs clearly state that it's not suitable for deployment on the net in it's default config. It even does a decent job of checking security, tellling you what's wrong, and telling you how to fix it. Yah, you would think that's enough. But it's obviously not.
Ask Google.
XamppHacker
 
Posts: 4
Joined: 26. July 2009 07:36


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 51 guests