Possible privilege escalations in XAMPP for Windows

Announcements and news about XAMPP and the Apache Friends project.

Possible privilege escalations in XAMPP for Windows

Postby Oswald » 09. May 2006 11:53

Thierry Zoller informed us about four possible privilege escalations in XAMPP for Windows. Thierry, thank you very much for notifying us of this problem.

The problem occurs if the installation path of XAMPP for Windows contains a blank character (like in C:\Program files\XAMPP) and you're creating a file named C:\Program.exe. In this case you will be able (for example) to catch the starting FileZilla service and start your own program (C:\Program.exe) as a service.

To exploit this vulnerability an attacker already needs full access to your C:\ directory to create the needed C:\Program.exe file.

Thierry found three other scenarios within this bug will appear. To find out more details about this problem please take a look into Thierry's Blog.

Update May 9th 2006
The current Windows beta fixes two of the problems based on this bug. We expect the next beta soon which will fix all four problems.

Update May 10th 2006
The new Windows beta now fixes all problems.
Last edited by Oswald on 10. May 2006 15:11, edited 1 time in total.
User avatar
Oswald
Apache Friends
 
Posts: 2718
Joined: 26. December 2002 19:51
Location: Berlin, Germany
XAMPP Version: 5.5.19
Operating System: Linux

Postby WorldDrknss » 10. May 2006 13:12

Oswald,
How about we set the default directory as C:\apachefriends or C:\xampp thus eliminating the use of "%20" in scripts, and making it easier to work with VirtualHosts.

Examples:
Instead of
Code: Select all
<VirtualHost *:80>
DocumentRoot C:/Program%20Files/xampp/htdocs
ServerName localhost
</VirtualHost>

We will be able to use
Code: Select all
<VirtualHost *:80>
DocumentRoot /apachefriends/xampp/htdocs
ServerName localhost
</VirtualHost>

or even
Code: Select all
<VirtualHost *:80>
DocumentRoot /xampp/xampp/htdocs
ServerName localhost
</VirtualHost>


Just a though and would make it easier to those new to setting up a webserver.

Anyways great package I enjoy it a lot.
Keep up the good work.
-WorldDrknss
http://wdguides.org - XAMPP Tutorials & MORE!!!!
User avatar
WorldDrknss
 
Posts: 292
Joined: 17. September 2005 13:40

Postby Wiedmann » 10. May 2006 13:28

DocumentRoot C:/Program%20Files/xampp/htdocs

On Windows (and *nix) simply quote paths:
Code: Select all
DocumentRoot "C:/Program Files/xampp/htdocs"

(see the other examples in "httpd.conf")
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Postby WorldDrknss » 10. May 2006 13:57

Good point, being up for 24 hours kind of gets to you.
Thanks Wiedmann
http://wdguides.org - XAMPP Tutorials & MORE!!!!
User avatar
WorldDrknss
 
Posts: 292
Joined: 17. September 2005 13:40

Does this vulnerability apply AFTER installation, or what?

Postby ivi » 13. May 2006 02:53

From a quick browse of the security person's report, I got the impression that:

- the problem was ONLY during installation, and

- the computer had to be sufficiently accessible
that an attacker could hide a PROGRAM.EXE
file on the C:\ (or other installation) drive

True? ...or did I misread something?

TIA

PS Still, I'd be happy to keep XAMPP where it
was put by v 1.5.1 installer (in C:\xampp)
ivi
 
Posts: 5
Joined: 06. March 2006 10:53


Return to Announcements and news

Who is online

Users browsing this forum: No registered users and 0 guests