I have been successfully using xampp as a development server for quite a while, have found it unbelievably useful. But I have just discovered it appears it is not secure. I discovered by chance that someone is pointing their domain name to my local server (I have no idea how or why but I have tracked down who owns the domain name). When you enter the rogue domain name in a browser, it directs to the xampp Welcome screen on my computer. My local test websites can be viewed with http://www.roguedomainname/testwebsite as well. It is as if I am running a public website. This is of course a problem.
I apparently missed the step about securing XAMPP, I guess because I never intended it to be public. I again looked through documentation, forums, etc., and it looks like I need to change the root password for MySQL & XAMPP at the very least. But I cannot seem to change the root password for MySQL + XAMPP, as directed in the readme directions,
"To fix most of the security weaknesses simply call the following URL:
http://127.0.0.1/xampp/xamppsecurity.php
The root password for MySQL + phpMyAdmin and also a XAMPP directory protection can being established here."
When I change the password on that security page, nothing changes. I close down Apache and restart, clear the cache, and it still reports the MySQL admin user root has NO password. I am at a loss as to how to secure this. Usually I am missing the obvious, does anyone have a suggestion?
My configuration on an XP:
ApacheFriends XAMPP (basic package) version 1.4.15
+ Apache 2.0.54
+ MySQL 4.1.13
+ PHP 5.0.4 + PHP 4.4.0 + PEAR
+ eAccelerator 0.9.3(PHP5) / 0.9.4-dev(PHP4)
+ PHP-Switch win32 1.0
+ XAMPP Control Version 2.1 from http://www.nat32.com
+ XAMPP Security 1.0
+ SQLite 2.8.15
+ OpenSSL 0.9.8
+ phpMyAdmin 2.6.3-pl1