Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22204
HistoryJul 23, 2009 - 12:00 a.m.

Insufficient Authentication, XSS and SQL Injection vulnerabilities in XAMPP

2009-07-2300:00:00
vulners.com
19
JSON

Hello 3APA3A!

I want to warn you about security vulnerabilities in XAMPP.

These are Insufficient Authentication, Cross-Site Scripting and SQL Injection vulnerabilities.

Insufficient Authentication:

http://site/xampp/

There are such sites, where access to admin panel of XAMPP is not restricted by password.

XSS:

POST query at page http://site/xampp/adodb.php

"><script>alert(document.cookie)</script>
In fields: Database server, Host, Username, Password, Current database, Selected table.

SQL Injection:

Attack is conducted during access to admin panel of XAMPP - via above-mentioned Insufficient
Authorization vulnerability or via Insufficient Authorization vulnerability which was found
earlier (http://websecurity.com.ua/3220/&#41;.

At page http://site/xampp/adodb.php

cds where 1=0 union select version(),0,0,0
In field Selected table.

Vulnerable are XAMPP 1.6.8 and previous versions. And potentially next versions (including last
version XAMPP 1.7.1).

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/3233/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

!DSPAM:4a65f256202288653636022!

JSON