 Relationships |
|
| Anonymous | Login | Signup for a new account | 2010-09-09 22:31 CEST |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||
| 0000127 | [1. XAMPP for Windows] Misc | text | always | 2009-08-21 01:27 | 2009-11-13 09:23 | ||
| Reporter | XamppHacker | View Status | public | ||||
| Assigned To | wiedmann | ||||||
| Priority | normal | Resolution | no change required | ||||
| Status | resolved | Product Version | 1.7.2 | ||||
| Summary | 0000127: 1.7.2 Security pages no longer restricted to localhost. | ||||||
| Description |
(This is a 1.7.2 bug, not in the list) In 1.7.1 the Security link on the main XAMPP page was restricted to localhost access (although one could hack around that). The security check page links to xamppsecurity.php which was also limited to localhost in 1.7.1. In 1.7.2, these links can be accessed remotely. Security page still states: "=> http://localhost/security/xamppsecurity.php [^] <= [allowed only for localhost]" But "allowed only for localhost" is no longer true. This will allow hackers to lock down an insecure XAMPP install (how's that for ironic? Is this a feature?) |
||||||
| Additional Information | |||||||
| Tags | No tags attached. | ||||||
| Attached Files | |||||||
|
|
|||||||
|
Relationships |
|
|
Notes |
|
|
(0000161) wiedmann (manager) 2009-08-24 17:59 |
> In 1.7.2, these links can be accessed remotely. Correct. But like other pages (e.g. the XAMPP demopage, phpmyadmin, ...) only from within your local network. > Security page still states: > "=> http://localhost/security/xamppsecurity.php [^] [^] <= [allowed only for localhost]" Oh, I have forgotten to remove this from the language files. Thanks. |
|
(0000162) XamppHacker (reporter) 2009-08-25 04:28 |
>> Correct. But like other pages (e.g. the XAMPP demopage, phpmyadmin, ...) only from within your local network. Um....no. (Unless you define local network as www.*) In the real world, people install XAMPP and plug it into the internet without paying any attention to the warnings that say "don't do that". That shouldn't surprise anyone: it's a predictable failure. Try this Google: intitle:"XAMPP 1.7.2" "1.7.2!" "pearinfo" I only got 5 hits, but 1.7.2 is new. I was able to click through 2 of them to bring up xamppsecurity.php. So much for local network only ;-) Similar searches for older versions shows that an alarmingly high number of XAMPP installs get plugged into the net without being secured. I have a rather lengthy list of of XAMPP sites that have already been hacked, or will be before long. IMHO, any step that reduces security in XAMPP is a step in the wrong direction. |
|
(0000163) wiedmann (manager) 2009-08-25 14:49 |
> Um....no. (Unless you define local network as www.*) "www.*" is part of a hostname, and not a network (IP address). BTW: It's not from interest which hostname you are using to access the XAMPP pages. The access is restricted by the IP the request is coming from (what you can see in phpinfo() at $_SERVER['REMOTE_ADDR']). Just try to access your XAMPP demopage from outside your own LAN and see if this works. > I only got 5 hits, but 1.7.2 is new. I was able to click through 2 of them to bring > up xamppsecurity.php. So much for local network only ;-) Well, these guys have disabled the security settings in "httpd-xampp.conf". If someone is doing this, there is nothing we can do... |
|
(0000210) XamppHacker (reporter) 2009-08-26 03:08 |
>> Well, these guys have disabled the security settings in "httpd-xampp.conf". If someone is doing this, there is nothing we can do... No way I can know that, but now that I see what you did in .conf, yes, you are almost certainly right. >>Just try to access your XAMPP demopage from outside your own LAN and see if this works. Got it. In the past, VMWare host/guest made a good proxy for sandboxing the internet. Not so in 1.7.2. Different sub-nets, but both on 192.* That's my problem, not yours. Including webalizer in the regex was smart...way too much information leaked through that one in prior versions. So, yes...you can downgrade this from critical to trivial. Change localhost to intranet and move on to bigger things. |
|
(0000213) francis (reporter) 2009-09-02 17:55 |
> In 1.7.2, these links can be accessed remotely. You'll be safe as long as your site is not on the web. (in other words: not accessible outside your network) |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-08-21 01:27 | XamppHacker | New Issue | |
| 2009-08-24 17:55 | wiedmann | Status | new => assigned |
| 2009-08-24 17:55 | wiedmann | Assigned To | => wiedmann |
| 2009-08-24 17:59 | wiedmann | Note Added: 0000161 | |
| 2009-08-24 17:59 | wiedmann | Status | assigned => feedback |
| 2009-08-25 04:28 | XamppHacker | Note Added: 0000162 | |
| 2009-08-25 14:49 | wiedmann | Note Added: 0000163 | |
| 2009-08-25 14:53 | wiedmann | version | 1.7.1 => 1.7.2 |
| 2009-08-26 03:08 | XamppHacker | Note Added: 0000210 | |
| 2009-08-27 18:46 | wiedmann | Severity | major => text |
| 2009-08-27 18:48 | wiedmann | Status | feedback => assigned |
| 2009-09-02 17:55 | francis | Note Added: 0000213 | |
| 2009-11-13 09:23 | wiedmann | Status | assigned => resolved |
| 2009-11-13 09:23 | wiedmann | Resolution | open => no change required |
| Mantis 1.1.6[^] Copyright © 2000 - 2008 Mantis Group |  |
