XAMPP Security Concept

Problems with the Windows version of XAMPP, questions, comments, and anything related.

XAMPP Security Concept

Postby davepfz » 15. September 2010 21:57

I realize that this subject has been posted before, but it seems I have run into a different problem. I modified the httpd-xampp.conf file so that the Location Match section is:
Code: Select all
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Order deny,allow
    Deny from all
    Allow from ::1 127.0.0.0/8 \
               fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 68.33.0.0/16 \
               fe80::/10 169.254.0.0/16

    ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>


And I see in the access log that someone from 65.113.229.33 got in and viewed the pages. How did this IP make it through the filter?

A slightly different question: Where can I find more info on the fc00::/7 construct? I presume that it's IPv6 format...
davepfz
 
Posts: 6
Joined: 15. September 2010 21:25

Re: XAMPP Security Concept

Postby Altrea » 15. September 2010 22:04

davepfz wrote:And I see in the access log that someone from 65.113.229.33 got in and viewed the pages. How did this IP make it through the filter?

Well, you can request each site from every public IP. It's important which HTTP code your Apache responses on that request. Should be in your access.log, too.

davepfz wrote:A slightly different question: Where can I find more info on the fc00::/7 construct? I presume that it's IPv6 format...

It is IPv6, correct. You can find Infos in Google or Wikipedia

http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: XAMPP Security Concept

Postby davepfz » 16. September 2010 03:36

Thanks for the pointer on IPv6. That helped a lot.

However, you didn't help explain how IP 65.113.229.33 got through the filters. As I understood it, the deny rule applies unless the access is explicitly allowed. In this case, in addition to the usual local IP addresses, I've allowed 68.33.0.0/16 which should allow 68.33.xxx.xxx but exclude others like 65.113.xxx.xxx.

How can I set the LocationMatch parameters so that only external addresses 68.33.xxx.xxx are allowed in?
davepfz
 
Posts: 6
Joined: 15. September 2010 21:25

Re: XAMPP Security Concept

Postby Altrea » 16. September 2010 04:58

davepfz wrote:However, you didn't help explain how IP 65.113.229.33 got through the filters.

Well, i tried to explain this, but maybe my english is not understandable enough to make it clear.

Your access log gets EVERY try to request, completely independent wether it was successfull or not.
If a requester is stopped by the access rule, he or she gets a http status code 403.

You can simply test this, if you remove the complete allow from... rule and try to access your site by yourself.
You get an access log entry similar to this:
127.0.0.1 - - [16/Sep/2010:05:49:26 +0200] "GET /xampp/ HTTP/1.1" 403 [...]


The access to the site was rejected (you can see, there is a HTTP Status Code 403 in the message).
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: XAMPP Security Concept

Postby Nobbie » 16. September 2010 09:40

davepfz wrote:And I see in the access log that someone from 65.113.229.33 got in and viewed the pages.


Which pages? Can you show us the log?
Nobbie
 
Posts: 8768
Joined: 09. March 2008 13:04

Re: XAMPP Security Concept

Postby davepfz » 16. September 2010 14:34

Here's a segment of the log showing the access. (Note that to protect myself I have obfuscated my domain name.)
    65.113.229.33 - - [14/Sep/2010:08:44:58 -0400] "GET /Pictures HTTP/1.1" 301 463 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:44:58 -0400] "GET /Pictures/ HTTP/1.1" 200 2398 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:04 -0400] "GET /Pictures/css/style.css HTTP/1.1" 200 1886 "http://x-hidden-x.com/Pictures/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:04 -0400] "GET /Pictures/ HTTP/1.1" 200 2398 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:04 -0400] "GET /Pictures/spgm.js HTTP/1.1" 200 2985 "http://x-hidden-x.com/Pictures/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:04 -0400] "GET /Pictures/flavors/default/spgm_style.css HTTP/1.1" 200 4788 "http://x-hidden-x.com/Pictures/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:05 -0400] "GET /Pictures/flavors/default/new.jpg HTTP/1.1" 200 554 "http://x-hidden-x.com/Pictures/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:05 -0400] "GET /Pictures/flavors/default/folder.jpg HTTP/1.1" 200 2893 "http://x-hidden-x.com/Pictures/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:05 -0400] "GET /Pictures/contrib/overlib410/overlib.js HTTP/1.1" 200 48572 "http://x-hidden-x.com/Pictures/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:12 -0400] "GET /Pictures/css/topleft.jpg HTTP/1.1" 200 525 "http://x-hidden-x.com/Pictures/css/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
    65.113.229.33 - - [14/Sep/2010:08:45:13 -0400] "GET /Pictures/css/topright.jpg HTTP/1.1" 200 525 "http://x-hidden-x.com/Pictures/css/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"
There is no doubt that they were browsing the site.

For more information, the pages they are browsing part of SPGM. At this point it's a 'standard' install.
davepfz
 
Posts: 6
Joined: 15. September 2010 21:25

Re: XAMPP Security Concept

Postby Altrea » 16. September 2010 15:36

Well, just Directories which can be found in the LocationMatch line are part of the new Security concept. The reason for the new security concept is to protect the sensitive XAMPP Administration Tools from outer access. You must protect your own Scripts and folders on your own if you want to protect them, too.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: XAMPP Security Concept

Postby davepfz » 16. September 2010 15:58

OK. That makes sense.

I guess I'm out of this topic area now, but is there something comparable for Apache? I wasn't able to locate anything with a quick search?

Thanks
davepfz
 
Posts: 6
Joined: 15. September 2010 21:25

Re: XAMPP Security Concept

Postby JonB » 16. September 2010 16:18

well - its pretty simple (I think) - the folder they browsed is not part of the 'Location' enumeration.
i.e. Pictures is not listed.

The 'Security concept' is actually protecting URL names as it uses the Location directive.

http://httpd.apache.org/docs/current/sections.html

htdocs (and its children) are excluded as it is presumed you WOULD want them published.

You simply need a .htaccess file for Pictures (and whatever else) and a decision on what kind of authentication you want to use (could be by IP if you just want to use it locally). Basic Authentication works out of the box with XAMPP. (mod_auth) -

Here's a tutorial

http://www.askapache.com/htaccess/htaccess.html

Note: Its NOT really DIrectories with Location - its URL's - so it also works with symlinks and mod_rewrite.

:mrgreen:
Good Luck
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: XAMPP Security Concept

Postby Altrea » 16. September 2010 18:43

JonB wrote:Note: Its NOT really DIrectories with Location - its URL's - so it also works with symlinks and mod_rewrite.

Oh wow. Can't believe i really wrote Directories :oops:
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 76 guests