New Security Concept

Problems with the Windows version of XAMPP, questions, comments, and anything related.

New Security Concept

Postby stuffedget » 23. July 2013 00:32

Can I ask which developer decided to make life harder by implementing this "New Security Concept" idea?

They need a large pole inserting and hog roasting for inflicting this on end users who only want to write and test code on a local server. Grrrrrrrrrrrrrr


Can anyone please help solve a problem?

I wrote a simple test script in PHP that required "POST" values to be accessed, the script loads fine but when the page is submitted to the "localhost" that served the page, I get an "Access Denied" notice with the 403 forbidden notice.

After much searching I found several tutorials on various sites, none of which helped, so I then decided to just comment out the annoying security module that has been implemented.

Now I just get a

Access forbidden!

You don't have permission to access the requested object. It is either read-protected or not readable by the server.

If you think this is a server error, please contact the webmaster.

Error 403

127.0.0.1
Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7

notice, and no form post.

I have looked at the php.ini file and that appears to allow POSTing. The problem looks to be what XAMPP have done.

I would like to suggest to the XAMPP developers that in the install process that you ASK the person installing if the want this security implemented and not simply inflict it on people. I only run Apache when offline from the web, ergo no security problems. I also have a firewall that does not allow any incoming connections, again, no security concerns. If someone wants to run a computer on the internet without a firewall, that is their problem and they deserve whats coming, it I feel is not XAMPP's concern with safeguarding, your supplying a test base product that should give bells and whistles for development purposes.
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby hackattack142 » 23. July 2013 02:11

Hello,

If you put your files in the root htdocs folder or your own folder in htdocs, you should not have that issue.

Without knowing how (if at all) you changed the default installation, where you are putting your test files, and how you are trying to access them there is not a lot I can suggest.
XAMPP Control Panel Developer
Latest CP: viewtopic.php?f=16&t=48932
hackattack142
 
Posts: 703
Joined: 20. May 2011 23:29
Operating System: Windows 7 Ultimate SP1 64-Bit

Re: New Security Concept

Postby stuffedget » 23. July 2013 04:16

It is a default install of 1.8.1

The form.php file is in the htdocs folder.

I have tried to resolve this forbidden access 403 error and every 403 error fix that pops up is for things like phpmyadmin, not being able to access the root folder and one fix claims that the error lies within skype (FFS) like I was born yesterday.

Code: Select all
#
# XAMPP settings
#

<IfModule env_module>
    SetEnv MIBDIRS "C:/XAMPP/php/extras/mibs"
    SetEnv MYSQL_HOME "\\xampp\\mysql\\bin"
    SetEnv OPENSSL_CONF "C:/XAMPP/apache/bin/openssl.cnf"
    SetEnv PHP_PEAR_SYSCONF_DIR "\\xampp\\php"
    SetEnv PHPRC "\\xampp\\php"
    SetEnv TMP "\\xampp\\tmp"
</IfModule>

#
# PHP-Module setup
#
LoadFile "C:/XAMPP/php/php5ts.dll"
LoadModule php5_module "C:/XAMPP/php/php5apache2_4.dll"

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
</FilesMatch>

#
# PHP-CGI setup
#
#<FilesMatch "\.php$">
#    SetHandler application/x-httpd-php-cgi
#</FilesMatch>
#<IfModule actions_module>
#    Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
#</IfModule>


<IfModule php5_module>
    PHPINIDir "C:/XAMPP/php"
</IfModule>

<IfModule mime_module>
    AddType text/html .php .phps
</IfModule>

ScriptAlias /php-cgi/ "C:/XAMPP/php/"
<Directory "C:/XAMPP/php">
    AllowOverride None
    Options None
    Require all denied
    <Files "php-cgi.exe">
          Require all granted
    </Files>
</Directory>

<Directory "C:/XAMPP/cgi-bin">
    <FilesMatch "\.php$">
        SetHandler cgi-script
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler None
    </FilesMatch>
</Directory>

<Directory "C:/XAMPP/htdocs/xampp">
    <IfModule php5_module>
       <Files "status.php">
          php_admin_flag safe_mode off
       </Files>
    </IfModule>
    AllowOverride AuthConfig
</Directory>

<IfModule alias_module>
    Alias /security "C:/XAMPP/security/htdocs/"
    <Directory "C:/XAMPP/security/htdocs">
        <IfModule php5_module>
          <Files "xamppsecurity.php">
             php_admin_flag safe_mode off
          </Files>
        </IfModule>
        AllowOverride AuthConfig
        Require all granted
   </Directory>

    Alias /licenses "C:/XAMPP/licenses/"
    <Directory "C:/XAMPP/licenses">
        Options +Indexes
        <IfModule autoindex_color_module>
            DirectoryIndexTextColor  "#000000"
            DirectoryIndexBGColor "#f8e8a0"
            DirectoryIndexLinkColor "#bb3902"
            DirectoryIndexVLinkColor "#bb3902"
            DirectoryIndexALinkColor "#bb3902"
        </IfModule>
        Require all granted
   </Directory>

    Alias /phpmyadmin "C:/XAMPP/phpMyAdmin/"
    <Directory "C:/XAMPP/phpMyAdmin">
        AllowOverride AuthConfig
        Require all granted
    </Directory>

    Alias /webalizer "C:/XAMPP/webalizer/"
    <Directory "C:/XAMPP/webalizer">
        <IfModule php5_module>
          <Files "webalizer.php">
             php_admin_flag safe_mode off
          </Files>
        </IfModule>
        AllowOverride AuthConfig
        Require all granted
    </Directory>
</IfModule>

#
# New XAMPP security concept
#
#<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
#   Order deny,allow
#   Allow from all
#   Allow from ::1 127.0.0.0/8 \
#      fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
#      fe80::/10 169.254.0.0/16
#
#   ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
#</LocationMatch>


I commented out the security measures and I am still met with a 403 forbidden error message.

any suggestions on where or what next?
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby hackattack142 » 23. July 2013 04:50

Does the main XAMPP page even work?

Is there a .htaccess in your htdocs folder?

Did you make any changes to the main Apache config (listening ports, etc)?

Is this a fresh install or did you install over a previous installation?
XAMPP Control Panel Developer
Latest CP: viewtopic.php?f=16&t=48932
hackattack142
 
Posts: 703
Joined: 20. May 2011 23:29
Operating System: Windows 7 Ultimate SP1 64-Bit

Re: New Security Concept

Postby Altrea » 23. July 2013 13:25

Hi,

without any information about which request produces this HTTP status 403 providing help is not possible.
So we need the contents of your \xampp\apache\logs\access.log from that request.

best wishes,
Altrea
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8294
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: New Security Concept

Postby stuffedget » 23. July 2013 15:27

hackattack142 wrote:Does the main XAMPP page even work?

Is there a .htaccess in your htdocs folder?

Did you make any changes to the main Apache config (listening ports, etc)?

Is this a fresh install or did you install over a previous installation?


As stated, it is a "Default" install with no changed and a fresh one too. The main XAMPP page shows up, the problem is as stated, the use of PHP's $_POST when submitting a form causes the error. It serves up PHP generated pages just fine, its the sending of data to the server that is the problem.

php.ini has been checked and it allows posts.

The 403 forbidden message is a server generated error.

Disabling the new security concept still results in the 403 forbidden error message.

The htdocs folder is where it should be in the XAMPP folder.
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby stuffedget » 23. July 2013 15:53

I have given up. I will just develop and upload to the web server I pay for, it will take four times as long to get stuff debugged but at least I will know that the server is not running any crazy "Security Concept" or hidden settings that make life harder.

It might serve the people who develop this developer tool to take on board some wisdom and stop taking two steps back for every step forward that they think that they are making. Frankly you are not. In the past I have used on other OS installs this XAMPP tool with an out the box no issues with bells and whistles.

Having looked at the forum and internet searches, it would appear that this new security concept is the biggest cause of personal woes in getting the service up and running.

Theirs an old saying that is very true and will serve the developers of the XAMPP service... If it aint broke, don't fix it.

Thanks for the replies but I am not about to waste my time chasing down problems that never existed in earlier version.

Ciao.
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby Altrea » 23. July 2013 15:59

I have requested very specific and needed debug information from you.
If you are not willing to provide that information, we can't provide good support.

The only thing I know for sure is that post requests are working very well at my not customized XAMPP test environment.
So the problem is very common an issue with your request or code.

The new security concept is an reaction to all the beginner user support requests of hacked XAMPP installations because using it in insecure environments it is not meant for. This concept secures the very sensitive parts against requests from public Ip addresses and I have never had any problems with that on local development environments.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8294
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: New Security Concept

Postby stuffedget » 25. July 2013 00:12

Thanks for the offer but I have removed XAMPP and installed a webserver and PHP5 and its working nicely thanks.
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby stuffedget » 25. July 2013 01:08

ALSO... When "Stopping" the server with the Stop button in the console, it kills the PC and my machine ends up rebooting.

The PHP doesn't work properly, as I stated, I installed a webserver and PHP5 and all is working fine, forms post, things upload and so on.

As for the implementation of "Security" that I am afraid is up to these individuals to understand that they need a Firewall which will stop any external snooping. Anyone who runs any PC or platform is hackable, Macs are just as hackable as *nix systems as are window boxes.

XAMPP has gone from a test environment to an unworkable nanny device that requires a degree in navigating settings.

I am happy in the knowledge that what I now write will work and has been tested, whereas before I got no end of warnings that variables in the $_POST were not defined, under this new webserver and PHP5 it outputs the content of those very same variables without a murmur.

So thanks for the offer of debugging, I have to say looking at the logs, it all seemed to show that no problems existed, so my synopsis is that XAMPP has a few bugs that are causing logs error reporting to not correctly report error codes, it crashes the system (not always) most of the time when stopping the webserver, it report errors that it shouldn't because of PHP integration problems.

I hope the developers work out what is wrong, revert back to or offer on install these security options by asking if the person installing the XAMPP system want to have the security turned on or not.

Ciao.
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby stuffedget » 25. July 2013 01:09

When I say rebooting, its a hard boot like instantly turns off the PC.
stuffedget
 
Posts: 7
Joined: 23. July 2013 00:20
Operating System: Windows

Re: New Security Concept

Postby Altrea » 25. July 2013 06:34

stuffedget wrote:I hope the developers work out what is wrong

The developers can't work anything out without the chance to reproduce the issue so please provide your script or sample code to debug the issue.
As i said, there is no general problem with POST requests in XAMPP 1.8.1, otherwise the majority of php scripts would not be able to run.

Maybe your script is dependend on a specific PHP version or configuration parameter.
Maybe the issue is an combination of your OS/Software and XAMPP.

Nobody can say anything for sure to that issue with that amount of information we have at this time.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8294
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: New Security Concept

Postby risingfish » 12. September 2013 03:43

Can I ask which developer decided to make life harder by implementing this "New Security Concept" idea?

They need a large pole inserting and hog roasting for inflicting this on end users who only want to write and test code on a local server. Grrrrrrrrrrrrrr



+1, Like, or what ever to that statement...

I use XAMPP on Windows for development, and run Linux on my production servers. I chose XAMPP because it was dead simple to get up and running, but now it looks like I'll be finding new install if this doesn't go away. At least make it optional.
risingfish
 
Posts: 1
Joined: 12. September 2013 03:40
Operating System: All

Re: New Security Concept

Postby Altrea » 12. September 2013 06:18

risingfish wrote:but now it looks like I'll be finding new install if this doesn't go away.

Then please do so. I don't really think you are willing to solve this issue. I have requested specific needed information to reproduce this issue which are not given by any of you.

risingfish wrote:At least make it optional.

Making essential security optional wasn't ever and will never be a solution.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8294
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 39 guests