Peter, the OP did mention what files had been uploaded to the webdav folder and he quite rightly refrained from revealing their contents here, which will help to prevent the proliferation of this type of hack, at least emanating from this forum.
Also if you had followed the link in my first reply it would have revealed a method by which to change the password, conspicuously omitted from your reply, the changing of which is easier said than done.
Before replying in a topic, an advanced forum search to see what else has been posted about the particular topic may also be rewarding especially after reading all that had already been posted here and by following the posted links.
Another solution to this, that you missed in your reply, is the inclusion of the webdav folder to the list of folders already in the \xampp\apache\conf\extra\httpd-xampp.conf file under the New XAMPP security concept section, which would only permit local access with a 403 error to any other type of access.
Using a text editor, at the end of the LocationMatch list simply add
|webdav - save the file and then restart Apache to have your edits recognized.
Here's more for advanced server administrators to peruse.
You can turn off webdav by editing the \xampp\apache\conf\extra\httpd-dav.conf file and changing this line to read
- Code: Select all
<Directory "/xampp/webdav">
Dav OFF
Even to comment out this line in the httpd.conf file so it looks like this...
- Code: Select all
# Distributed authoring and versioning (WebDAV)
# Include "conf/extra/httpd-dav.conf"
...then Apache won't even know about webdav and if you also include the deleting of \xampp\security\webdav.htpasswd file then the folder becomes superfluous in the hack equation.
So the old idiom of "There's always more than one way to skin a cat" rings true once more in the case of closing the webdav hole:
http://www.worldwidewords.org/qa/qa-mor1.htmhttp://idioms.thefreedictionary.com/The ... skin+a+catFinally, if some kind soul would create a bug report so that the developers can attend to this increasingly used security hole, so it is not On by default, then the less informed XAMPP users about the hardening of the Apache web server can only benefit and be kept a little more safe.
You can sign-up for a new account at the XAMPP bug tracker here...
http://bugs.xampp.org/my_view_page.php...and if the issue has already been reported then you can add notes relative to your own webdav exploit experience or if you have more information that may assist the developers further their knowledge of this serious security hole.
There may already be hundreds if not thousands of webdav exploited XAMPP installations out there, acting as zombies, that users may not even be aware off.
Please stay safe and good luck to all our forum readers.