Severe security issues in default configuration

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Severe security issues in default configuration

Postby cxx » 08. December 2010 13:02

Hello there,

related to a lot of XAMPP-installation on Windows-servers (which we do not manage ourselves) we are experiencing problems with hacked machines. The default configuration fo XAMPP allows accessing the system using WebDAV with a default-password and makes uploading and execution of malicious scripts possible for everyone - what makes DoS-performing zombies spring up like mushrooms. I'm aware of the fact, that XAMPP is not intended to be used on public servers, but a certain audience is used to do so. Nevertheless, any hint regarding that hole is missing in the FAQ.

This is not a new problem:

https://www.metasploit.com/redmine/issues/2170
http://www.fortiguard.com/encyclopedia/ ... pload.html

I think it is irresponsible, to offer XAMPP to an in genuous audience while keeping the default-configuration unsecure - 50% of the users, who are aware of the fact that XAMPP's default-configuration is unsecure, are not interested in system security at all.

So who do I need to contact? Is there a mailing-list, someone responsbible?

Regards
Christian


PS I also posted this in German in the German section.
cxx
 
Posts: 6
Joined: 08. December 2010 12:39

Re: Severe security issues in default configuration

Postby b-morgan » 04. January 2011 07:26

I got hacked through this "hole". I have figured out how to change the WebDAV password.

Are there any other "holes" like this that should be plugged?

Was there any response on the German side?
b-morgan
 
Posts: 2
Joined: 19. January 2008 22:33
Location: Colorado Springs, Colorado

Re: Severe security issues in default configuration

Postby anon » 27. January 2011 04:51

This "hole" is a pain in the ass and is a big problem and needs to be addressed.

I have a customer who keeps getting hit with UDP floods and EVERY single machine that turns up is xampp based. Unfortunately I've had no choice but to make them leave. Handling an attack of over 600 zombies - many of which have GREAT connections at datacenters - is not even an option.

Ever since this was reported in July, stupid kids are scanning the internet for any and all open WebDav folders they can. Because of this "hole" and irresponsible admins, there are some CRAZY powerful shell booters out there. It seems nobody wants to fix this problem merely because XAMPP is not meant to be run in a production environment.

I have to agree with the first poster. Unfortunately people don't want to listen and use this for production. The default configuration, at the VERY least, should provide some security. It would not be difficult would it be to simply have the user make their own password for all the services, or just get rid of WebDav as something enabled by default. A lighter WAMP package, EasyPHP, also not used for production takes situations like this into account. If someone opens apache to the web, for example, you still can't reach /phpmyadmin/ from a location that isn't 127.0.0.1 unless you actually go in and edit that out. This is just an example of another easy way to fix this webdav issue.

I would also like to know who to contact about this or if there are even ANY plans to fix this.
anon
 
Posts: 3
Joined: 27. January 2011 04:30

Re: Severe security issues in default configuration

Postby Sharley » 27. January 2011 05:02

anon wrote:I would also like to know who to contact about this or if there are even ANY plans to fix this.
There have been more recent posts here with some info included:
viewtopic.php?f=16&t=43824
viewtopic.php?f=16&t=44140

Bug reported here so you can add your 2 cents in a report if you wish:
http://bugs.xampp.org/my_view_page.php
Bug report page:
http://bugs.xampp.org/view.php?id=170

The more reports added to the main bug report the better chance of it being noticed by the developer.

No sign of any action on the bug yet and it's been over a week since it was reported - Unassigned - so looks like it is not on the developers radar yet. :(

There are still Unassigned reported bugs going back to September last year. :shock:

However not sure yet if this hole has been closed in the latest XAMPP 1.7.4 stable version just released yesterday.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Severe security issues in default configuration

Postby JonB » 27. January 2011 05:39

I have a customer who keeps getting hit with UDP floods and EVERY single machine that turns up is xampp based. Unfortunately I've had no choice but to make them leave. Handling an attack of over 600 zombies - many of which have GREAT connections at datacenters - is not even an option.


Maybe you should do something, eh??? :shock:
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: Severe security issues in default configuration

Postby anon » 27. January 2011 05:54

Thanks for the information Sharley. I didn't see any of that until now. I hope it gets fixed. I'm glad someone else sees that this is a pretty big issue.

@ Jon B. Really? There is little you can do to stop a UDP flood of this magnitude, short of spending thousands of dollars for serious protection. When this first started happening I initially made an effort to file reports with the datacenters of who's machines were being abused. I also block the IPs in our firewall, but it doesn't even matter, the UDP flood is just too strong. The efforts to get the servers cleaned by their hosts are totally futile when the next week they return with a whole bunch more of compromised XAMPP servers. Not just two or three either, HUNDREDS.
anon
 
Posts: 3
Joined: 27. January 2011 04:30

Re: Severe security issues in default configuration

Postby Sharley » 27. January 2011 08:58

Sharley wrote:However not sure yet if this hole has been closed in the latest XAMPP 1.7.4 stable version just released yesterday.
WebDAV has been disabled with a suitable warning in version 1.7.4 in the httpd.conf file like so
# Distributed authoring and versioning (WebDAV)
# Attention! WEB_DAV is a security risk without a new userspecific configuration for a secure authentifcation
# Include "conf/extra/httpd-dav.conf"
Now all you XAMPP user with versions less than 1.7.4 should edit their httpd.conf file like the above code block - that method of disabling by commenting out the reference to the webdav config file is only one of many but is easy and would be server wide - remember to restart Apache after editing the httpd.conf file.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Severe security issues in default configuration

Postby JonB » 27. January 2011 15:45

@ anon -

The answers are not always obvious, but I'm of the opinion there is a one time fix for any provisioner (and its pretty straightforward).

I have NOT tested my idea for a peculiar reason - I have not had adequate time for reading and research (not the type you expect). But I supect thie fix is trivial, and requires two specific pieces of information. Certainly, less effort than you describe.

As for asking 'them' to leave - I suspect you were wthin your rights (on the assumption that I have intuited correctly and you and the original poster were/are an unmanaged VPS provider or work for one). Hosting contracts are pretty much a one-way deal. There certainly is the option of 'forbidding' this or that, but those rules are usually worse than saying nothing and pruning by exception. I suppose (thinking economically) that my solution might be unappealing, as it would encourage people to install XAMPP on production servers. You 'could' I guess, just tell them the magic Shazaam fix also... :shock: Those unmanaged VPS's are a minefield of unexpected outcomes. I have several of both varieties, and my first unmanaged one was an eye-opener (but I got it all spinning smoothly :mrgreen:).

I do think, with the new release, it is certainly fair to ask THE POWERS-THAT-BE to fix the bug (well its not REALLY a bug - any more than the fact that MySQL installs without a root password is - you simply have to account for the situation) in some fashion. Disabling mod_dav and so on in the httpd.conf configuration file would probably be ideal (while still maintaining the 'structures' for it), but just elminating the default PW, and making a patch on the security page would also work. However, I'd bet that the developers will say (again) "testing, testing, testing - NOT production' and WebDAV goes with SVN... (editorial disclosure - I was too busy on budgets for the last two months to DL and test the final beta of XAMPP 1.7.4 and I am a team member on another OS project that is sprinting for a major release - sooo the fix may be in there already)

Oddly enough - please consider this - the XAMMP development team is a victim of its own fine work. IF XAMPP were not so easy to use, well thought through and reliable -- all this just would not be an issue -- as those who can't build a stack on their own would not be tempted to use a testing stack for production. I will say personally that anyone who can't get a stack running on a server, shouldn't be self-hosting, but I would be whistling in the wind. Its 'trvial' (I like that word today) for a competent systems engineer to get a stack (of standalone installs) running on W2K3 or W2K8; even I have been able to master that, LOL (and at the end, you know how stuff works, God forbid). Unfortunately they don't really cover that in the MS-oriented training many SE's get. The end finger-of-blame has to be pointed at organizations and indviduals that venture into areas where they are truly imcompetent (read cross-platforming), and everyone else pays the price.

Just my thoughts (albeit a lot of them) - and I guess the secret formula is there, eh? You do have to be clever to implement the solution.

8) <== kool geek.
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: Severe security issues in default configuration

Postby anon » 28. January 2011 05:01

Jon B,

Maybe my first post wasn't clear, but no, I'm not a VPS provisioner and I don't run a VPS service or anything like this. I host web based communities for people as a service. We have two dedicated servers; out of the many customers we have on our service, only this one is being attacked this aggressively. Attacks are pretty common; http floods, etc, all of which we've learned to handle, but this is impossible for us. Hence why we told them they had to go; it's unfortunate but it's the only thing economically that makes sense because the situation is so severe. We're the ones on the receiving end of all the UDP floods because of irresponsible VPS & dedicated server administrators who choose to run XAMPP in production. Not the other way around. Every time our server gets attacked, I comb through the list of IP addresses; they are all XAMPP servers running an open WebDav - many of them just allow anyone to access the PHP based UDP flood shells that these kids upload. Pretty much open to anyone who wants to use them.

If I did run a VPS service... there is probably an easy way to tie these machines down at network level once they start spewing the standard UDP flood. I'd imagine an IDS or something like that could watch for such traffic and then take action automatically. But no, that is not my situation at all. And apparently there's tons of datacenters out there who clearly don't have anything in place to pick up on this type of bad traffic that's getting spewed *from* their network, or else some of these machines would have been stopped. To be on the receiving end of UDP floods as I'm sure you know really sucks... and there is little you can do except for pay out the nose for a filtering service in a case like this, or order more bandwidth to just absorb the garbage that comes in.

By the way, I didn't mean to imply that this is all XAMPP's fault, because it's not. It says not to use it in production, and yet idiots do anyway. At the end of the day the real blame is on the server admins, and perhaps the datacenters too for not having anything in place to detect something like this. I can imagine that when these machines start packeting the crap out of people; we are probably not the only ones who feel the effects of it. If the machine(s) are on a shared line then they're going to all feel the heat because of these UDP floods that maybe 1 VPS is spitting at some website.

If XAMPP didn't do anything about it, then it would be well within their rights. It says not to use it in production, and people are warned. However, as you said, sometimes you need to look at reality and account for the situation. XAMPP works too damn well, and is too easy to use. So, people use it in production and actually get away with it quite well, and 99% probably don't get hacked either except for this little WebDav issue. But, I think there is perhaps an ethical responsibility when something like this is provided; and there is a consistent and/or wide spread pattern of exploitation to fix the said "hole."

It looks like they've stepped up and done just that, so in time this shouldn't be a problem anymore.

:shock: <== geek watching 'iftop' freaked out about UDP floods. :lol:
anon
 
Posts: 3
Joined: 27. January 2011 04:30

Re: Severe security issues in default configuration

Postby JonB » 29. January 2011 01:21

@ anon -

thanks for clarifying things, AND - your emphasis to the UDP flooding reminded me what the REAL problem is/was:

I had frgotten that when I responded the first time, I was shocked :shock: -- not by the bad idea of a known default password, but by the EXECUTE permission. Repositories should never be executable, and that is the real 'lethality' here.

Of course, "NOW" it occurs to me how to shut them down (maybe) I gotta check facts first, and test.

BTW, the past-tense 'right fix' would be a XAMPP zip package for ISP's/hosts with a WebDAV fix, ready to 'push' onto clients (again a fairly trivial piece of work).

I host communities also, and I'm a member of the YaBB project (that has a major step forward close to ready - subforums and a MySQL port {the two things we lacked}). In 'real life/work' I'm a server geek there too, and a 'web presence/portal' and database developer. Most of what I do is architecture or 'new build/ground up' work.

Good luck
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: Severe security issues in default configuration

Postby JonB » 29. January 2011 01:24

:D Well that was a worthy 1000th post I guess, LOL.

:mrgreen:
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 125 guests