Apache Friends Support Forum

I have been successfully using xampp as a development server for quite a while, have found it unbelievably useful. But I have just discovered it appears it is not secure. I discovered by chance that someone is pointing their domain name to my local server (I have no idea how or why but I have tracked down who owns the domain name). When you enter the rogue domain name in a browser, it directs to the xampp Welcome screen on my computer. My local test websites can be viewed with http://www.roguedomainname/testwebsite as well. It is as if I am running a public website. This is of course a problem.

I apparently missed the step about securing XAMPP, I guess because I never intended it to be public. I again looked through documentation, forums, etc., and it looks like I need to change the root password for MySQL & XAMPP at the very least. But I cannot seem to change the root password for MySQL + XAMPP, as directed in the readme directions,

"To fix most of the security weaknesses simply call the following URL:
http://127.0.0.1/xampp/xamppsecurity.php
The root password for MySQL + phpMyAdmin and also a XAMPP directory protection can being established here."

When I change the password on that security page, nothing changes. I close down Apache and restart, clear the cache, and it still reports the MySQL admin user root has NO password. I am at a loss as to how to secure this. Usually I am missing the obvious, does anyone have a suggestion?

My configuration on an XP:
ApacheFriends XAMPP (basic package) version 1.4.15
+ Apache 2.0.54
+ MySQL 4.1.13
+ PHP 5.0.4 + PHP 4.4.0 + PEAR
+ eAccelerator 0.9.3(PHP5) / 0.9.4-dev(PHP4)
+ PHP-Switch win32 1.0
+ XAMPP Control Version 2.1 from http://www.nat32.com
+ XAMPP Security 1.0
+ SQLite 2.8.15
+ OpenSSL 0.9.8
+ phpMyAdmin 2.6.3-pl1

Flo1 wrote:...I discovered by chance that someone is pointing their domain name to my local server...

Open the httpd.conf file and change the Listen directive from
Listen 80
to
Listen 127.0.0.1:80



Check in the Windows hosts file that you have this entry as the first in the list:
127.0.0.1 localhost
Check that you don't have any rogue entries then save the file.
Right click on the hosts file and select Properties, click on the Read-only check box.



Don't have the server running unless you need it, in other words uninstall the NT service by removing the ticks in the Svc boxes of the XAMPP Control Panel then start the servers manually when you need to do some developing.

Flo1 wrote:When I change the password on that security page, nothing changes.

Go to \xampp\mysql folder and double click on the resetroot.bat file.

Now go back to the security page and enter your password again for the root use.

Test again.


You may possibly be a tad more secure than before you did the above changes - keep your eye on the Apache access and error logs when the server is running.

Block in your firewall any rogue addresses you find in the logs.

Good luck.

Izzy, thank you for responding. I followed your instructions for changing root password, but the security page still shows password is unsecured as root.

Flo1 wrote:I followed your instructions for changing root password, but the security page still shows password is unsecured as root.

First try restarting MySQL after running the bat file.

I should have realized you are using a very old version of XAMPP, my instructions were for 1.7.1>

In older versions of XAMPP the resetroot.bat file was buggy.

There is a patch that contains a bug free resetroot.bat file...

http://sourceforge.net/projects/xampp/files/XAMPP Windows/1.7/xampp-patch2-win32-1.7.0.zip

...which you may like to try as it was for a newer version than your 'last century' version of XAMPP all you need do is extract and overwrite the original file but make a Copy of the original first.

You can make a Copy of the bat file first, in case there are issues, by dragging the original holding down the Ctrl key at the same time.

Only extract the resetroot.bat file which in the zip file is in the mysql folder.

After replacing the old bat file follow my instructions above again then restart MySQL.

Better luck this time.



Below is the content of the new resetroot.bat file that you may use to edit the contents of the old file by replacing the contents - usually right click on the resetroot.bat file and select to edit or drag it into an open text editor like notepad for example.

Code: Select all

@ECHO OFF
..\apache\bin\pv.exe --kill --force mysqld*.exe >nul 2>&1

ECHO USE `mysql`; >resetroot.sql
ECHO. >>resetroot.sql
ECHO INSERT IGNORE INTO `user` VALUES ('localhost', 'root', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0); >>resetroot.sql
ECHO REPLACE INTO `user` VALUES ('localhost', 'root', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0); >>resetroot.sql
ECHO INSERT IGNORE INTO `user` VALUES ('localhost', 'pma', '', 'N', 'N', 'N', 'N', 'N', 'N', 'Y', 'Y', 'Y', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', '', '', '', '', 0, 0, 0, 0); >>resetroot.sql
ECHO REPLACE INTO `user` VALUES ('localhost', 'pma', '', 'N', 'N', 'N', 'N', 'N', 'N', 'Y', 'Y', 'Y', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', '', '', '', '', 0, 0, 0, 0); >>resetroot.sql

bin\mysqld.exe --no-defaults --bind-address=127.0.0.1 --bootstrap --console --skip-grant-tables --skip-innodb --standalone <resetroot.sql  >resetroot.err 2>&1
IF ERRORLEVEL 1 GOTO FEHLER
GOTO KEINFEHLER

:FEHLER
TYPE resetroot.err
ECHO.
ECHO Passwoerter fuer Benutzer "root" und "pma" wurden nicht geloescht!
ECHO Passwords for user "root" and "pma" were not deleted!
GOTO WEITER

:KEINFEHLER
ECHO.
ECHO Passwoerter fuer Benutzer "root" und "pma" wurden geloescht.
ECHO Passwords for user "root" and "pma" were deleted.
ECHO.
ECHO Bitte den MySQL Server neu starten.
ECHO Please restart the MySQL server.
GOTO WEITER

:WEITER
DEL resetroot.err
DEL resetroot.sql
ECHO.
PAUSE

Thanks for staying with this. But No luck yet.

I followed these steps as you outlined:

1. downloaded the patch and unzipped in a temp folder
2. replaced the contents of the old mysql/resetroot.bat file with the new (kept a copy of the old)
3. double clicked on the mysql/resetroot.bat file. Console said "passwords for root and pma were deleted, please restart the mysql server.
4. restarted the mysql server.
5. went back to the security page and entered my password again for the root use (7 alphanumeric digits). Also, selected "cookie"
(is this okay? does it matter if I check http or cookie--I've tried both and don't see difference)
6. restarted mysql
7. returned to the security screen.

No success. Nothing has changed. Still showing unsecured with no password for mysql admin user root.
I had even disabled my symantec antivirus software before doing this (don't know if that is necessary, but why not try).

Try http://localhost and tell me what you see.

Try http://localhost/phpmyadmin and tell me please what you see.

Clear your browser's cache.

I cleared my browser's cache.

Entering http://localhost brings up XAMPP splash screen with Welcome, and browser bar then says http://localhost/xampp

Entering http://localhost/phpmyadmin brings up PHPMyAdmin, where I can edit databases. At the top it says MySQL 4.1.13 running on localhost as root@localhost and has a warning at bottom of screen.

Flo1 wrote:Entering http://localhost/phpmyadmin brings up PHPMyAdmin, where I can edit databases. At the top it says MySQL 4.1.13 running on localhost as root@localhost and has a warning at bottom of screen.

So you didn't have to enter a username or a password to access phpMyAdmin - no window to enter the credentials?

correct.

Strange indeed.

Consider upgrading your very old XAMPP version to even further enhance the security of your installation.