Apache Friends Support Forum

[swalsh19]

I have 2 vulnerabilities that I don't know how to address, seeking some help. I have done a basic install with very little changes from the installer.

phpinfo Information Disclosure Vulnerability:
This host has a publicly-accessible PHP file that calls the phpinfo() function (or some other function similar to it).

If a user requests this file (such as via an Internet browser), the user may obtain a page containing sensitive information about the Web server host. The information displayed to the user could include the exact version numbers of various software products (Operating Systems, Web Servers, PHP, XML, MySQL), the values of some environment variables ($PATH, $SYSTEM_ROOT), paths to various programs (cmd.exe), and much more.

jQuery Cross-Site Scripting (XSS) Vulnerability - the offending file i cant find nor is it listed, partial contents are:

<!-- Use title if it's in the page YAML frontmatter -->
<title>Welcome to XAMPP</title>

<meta name="description" content="XAMPP is an easy to install Apache distribution containing MariaDB, PHP and Perl." />
<meta name="keywords" content="xampp, apache, php, perl, mariadb, open source distribution" />

[Nobbie]

If a user requests this file (such as via an Internet browser), the user may obtain a page containing sensitive information about the Web server host

And which user can request a file from your local ("localhost") webserver? And why? If someone can access your localhost, change it! Xampp is not meant for public use.

[swalsh19]

Im not sure how/where Qualys is detecting this. Sorry Im a newbie, i did an OOB install so to speak and would have thought this was configured to be not for public use and that apache was configured in that manner. Would appreciate any assistance I can get for this one.

[petroben]

I can offer some guidance on how to address these vulnerabilities:

1. phpinfo Information Disclosure Vulnerability:

To address this issue, you should locate the PHP file that's calling the phpinfo() function and either remove it or restrict access to it.
The file that calls phpinfo() is typically named something like phpinfo.php. You should look for this file in your web root directory or any other relevant locations.
Once you find the file, you can either delete it or restrict access to it using appropriate server configurations. If you don't need it for any specific purpose, removing it is the safer option.
2. jQuery Cross-Site Scripting (XSS) Vulnerability:

It appears that this issue might be related to XAMPP's default page. To address it, you should inspect the default page templates used by XAMPP.
Locate the template file that contains the code you provided and replace it with a safe version that doesn't include any potentially malicious content.
Be sure to update XAMPP to the latest version, as newer releases often include security fixes.
For both vulnerabilities, ensure you keep your software, including XAMPP, PHP, and any other components, up to date to patch any known security issues. Regularly monitor your system for any unusual or unauthorized access attempts.

Remember to back up your data and configuration settings before making any changes to your server to avoid unintended consequences. If you're not confident in making these changes, consider seeking help from a security professional or system administrator to ensure your server's security is maintained.

[swalsh19]

Thanks so much for the reply. I have the latest version they have available with php 8.2.4, hoping a newer version comes soon since PHP is upto 8.2.10.

Question though, i have the windows version here, where is the default page templates placed, any idea? I will look manually I wish qualys would have given me a hint on the filename here.

As for the other issue I found 3 phpinfo.php files on the system I have removed them and will see if that fixes that issue up. I thought this was referring to the php version being older.