Thoughts on old security pages and new dashboard

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Thoughts on old security pages and new dashboard

Postby steve_t » 03. September 2015 20:29

OK. I just spent a couple of days figuring out XAMPP security and thinking about why you might have decided to remove the XAMPP 5.6.8- security web pages http://localhost/security/index.php (the subject status table) and http://localhost/security/xamppsecurity.php (the security console MySQL & XAMPP directory protection form). Here are my thoughts/suggestions.

Concerning XAMPP 5.6.8-

1.) I never found the security web pages http://localhost/security/index.php (the subject status table) and http://localhost/security/xamppsecurity.php (the security console MySQL & XAMPP directory protection form) to be buggy. I did, however, find them to be very confusing. Why? Because for some inexplicable/inexcusable reason they did not explain the XAMPP default security policy, which I will refer to as the New XAMPP Security Concept, whose code is located at the bottom of the C:\xampp\apache\conf\extra\httpd-xampp.conf file, which institutes a security policy that is different than the traditional security policy of most other LAMPs/WAMPs, and can be described as follows: "By default, most LAMPs/WAMPs expose a LAMP/WAMP directory vulnerability and a MySQL root user account has no password vulnerability to the LAMP/WAMP host computer and to computers on a network with the LAMP/WAMP host computer. The XAMPP New XAMPP Security Concept stops these two vulnerabilities from being exposed to computers on a network with the XAMPP host computer." In short, if this was explained somewhere on the XAMPP 5.6.8- security web pages: 1.) much of the users preoccupation/confusion with changing the XAMPP directory, the MySQL root use account no password, and the phpMyAdmin no secure authentication type from unsecure to secure would/could be stopped; and 2.) XAMPP might be applauded for resolving these vulnerabilities over a network by default. But because this is not explained on the front end, hence, the confusion and the time wasted replying to posts on the af community forums on the back end.

2.) One thing that I liked about XAMPP 5.6.8- was that it offered the possibility (unfortunately never explained/implemented/realized) of instituting three separate security policies:

a.) The New XAMPP Security Concept (default) (recommended): Only the XAMPP host computer, not any computers on a network with the XAMPP host computer, is granted access to the XAMPP directory web pages and phpMyAdmin.

To institute the New XAMPP Security Concept, do nothing. The New XAMPP Security Concept is instituted as the default security policy. In this example, the code for the New XAMPP Security Concept is located at the bottom of the C:\xampp\apache\conf\extra\httpd-xampp.conf text file.

b.) The No Security Policy: The XAMPP host computer, and any computers on a network with the XAMPP host computer, are granted access to the XAMPP directory web pages and phpMyAdmin.

To institute the No Security Policy, disable the New XAMPP Security Concept. Disabling the New XAMPP Security Concept institutes the No Security Policy. (For additional information, including warnings and step by step instruction see 3.2. To Institute The No Security Policy http://www.learnwebcoding.com/misc/windows_environment_develop_phpbb_styles.html#instituteNo)

c.) The Traditional LAMP/WAMP Security Policy: Upon authentication (i.e., after providing a valid username/password), the XAMPP host computer, and any computers on a network with the XAMPP host computer, are granted access to the XAMPP directory web pages and phpMyAdmin.

To institute the Traditional LAMP/WAMP Security Policy, disable the New XAMPP Security Concept and use the XAMPP directory web GUI to resolve two common WAMP/LAMP vulnerabilities and to select a secure phpMyAdmin authentication type. Disabling the New XAMPP Security Concept, resolving the common LAMP/WAMP vulnerabilities, and selecting a secure phpMyAdmin authentication type institutes the Traditional LAMP/WAMP Security Policy. (For additional information, including warnings and step by step instructions see 3.3. Institute The Traditional LAMP/WAMP Security Policy http://www.learnwebcoding.com/misc/windows_environment_develop_phpbb_styles.html#instituteTraditional)

Concerning XAMPP 5.6.11+

1.) The new dashboard really needs to explain, or link to an explanation of, the default XAMPP security policy. Moreover, the new dashboard really needs to explain why it does not present, or why it does not need to present, the traditional LAMP/WAMP GUI for securing the LAMP/WAMP directory vulnerability, the MySQL root user account has no password vulnerability, and for selecting a secure phpMyAdmin authorization type. Keeping people in the dark about this would seem to be a mistake for it will likely only lead to more confusion and questions, and that is what the new dashboard is meant to avoid, correct?

2.) I would redesign the XAMPP 5.6.11+ dashboard to; 1.) explain the New XAMPP Security Concept, and 2.) present user with the opportunity to institute the three security policies described above; 1.) The New XAMPP Security Concept, 2.) The No Security Policy, and 3.) The Traditional LAMP/WAMP Security Policy. This would really distinguish XAMPP from the other LAMPs/WAMPs. Toward facilitating this, please feel free to use any of the language/wording in the XAMPP Security section of this web page on my web site:
Set Up A Local Windows Environment For Developing phpBB Styles
http://www.learnwebcoding.com/misc/windows_environment_develop_phpbb_styles.html#xamppSecurity

Regards,

Steve
steve_t
 
Posts: 15
Joined: 18. December 2014 04:28
XAMPP version: 5.6.24
Operating System: Windows Vista/7/8.1/10

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 181 guests