zordon01 wrote:This was the link:
http://server name/phpmyadmin/abc.php?
And that is where it most likely started. The others leak info no doubt, but they just added a roadmap.
zordon01 wrote:This was the link:
http://server name/phpmyadmin/abc.php?
zordon01 wrote:All cracked folders start with this link: http://server name/phpmyadmin/abc.php?(and the folders)
The PHP admin was password protected!
Alias /phpmyadmin "E:/XAMPP Versionen/7.1.1/xampp/phpMyAdmin/"
<Directory "E:/XAMPP Versionen/7.1.1/xampp/phpMyAdmin">
AllowOverride AuthConfig
Require local
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</Directory>
zordon01 wrote:I think someone somhow upload this file tourgh the internet from xampp.
zordon01 wrote:Its not impossibe.
You don't have to. But burring this in the faq is not enough, most often that is read after the fact. If there's one thing I've learned following this forum over the years, people don't go out of their way to read. Hence all the post about something not working and asking how to fix, posting the very part of the message they get that tells them to check the logs and windoze event viewer, and they don't even read that part of the error message.
Just put it where I suggested. You've done your duty!
danielo wrote:Thank you. The problem is that a lot of people not even read that, they go directly to Sourceforge. We looked into it and here is what we found:
* phpMyAdmin is protected by default to be only accessed from localhost. If this was accessed by a remote attacker we are guessing it must be because the user actively changed it
* Similarly server-status and server-info were protected to only accessed by localhost on Linux, but we checked and they are accessible on Windows. We will fix access to those in a new release (working on having it for later today or tomorrow)
In addition to the above, we will include wording in the main section of the documentation for XAMPP, the fist page that everyone sees, hopefully more people will be aware of it.
Thanks everyone for all the feedback, it is hard to make these tradeoffs. In the past we removed all the PHP examples from XAMPP because they were a source of security issues, which caused some disagreement but turned overall to be a good decision. Hopefully we can fix this similarly with a clearer, more visible notice and making the defaults just listen to localhost
Users browsing this forum: No registered users and 84 guests