Severe security issues in default configuration
Posted: 08. December 2010 13:02
Hello there,
related to a lot of XAMPP-installation on Windows-servers (which we do not manage ourselves) we are experiencing problems with hacked machines. The default configuration fo XAMPP allows accessing the system using WebDAV with a default-password and makes uploading and execution of malicious scripts possible for everyone - what makes DoS-performing zombies spring up like mushrooms. I'm aware of the fact, that XAMPP is not intended to be used on public servers, but a certain audience is used to do so. Nevertheless, any hint regarding that hole is missing in the FAQ.
This is not a new problem:
https://www.metasploit.com/redmine/issues/2170
http://www.fortiguard.com/encyclopedia/ ... pload.html
I think it is irresponsible, to offer XAMPP to an in genuous audience while keeping the default-configuration unsecure - 50% of the users, who are aware of the fact that XAMPP's default-configuration is unsecure, are not interested in system security at all.
So who do I need to contact? Is there a mailing-list, someone responsbible?
Regards
Christian
PS I also posted this in German in the German section.
related to a lot of XAMPP-installation on Windows-servers (which we do not manage ourselves) we are experiencing problems with hacked machines. The default configuration fo XAMPP allows accessing the system using WebDAV with a default-password and makes uploading and execution of malicious scripts possible for everyone - what makes DoS-performing zombies spring up like mushrooms. I'm aware of the fact, that XAMPP is not intended to be used on public servers, but a certain audience is used to do so. Nevertheless, any hint regarding that hole is missing in the FAQ.
This is not a new problem:
https://www.metasploit.com/redmine/issues/2170
http://www.fortiguard.com/encyclopedia/ ... pload.html
I think it is irresponsible, to offer XAMPP to an in genuous audience while keeping the default-configuration unsecure - 50% of the users, who are aware of the fact that XAMPP's default-configuration is unsecure, are not interested in system security at all.
So who do I need to contact? Is there a mailing-list, someone responsbible?
Regards
Christian
PS I also posted this in German in the German section.