Security Serious vulnerability on XAMPP - Everyone using XAMPP, please read this!

Greetings OTLand members.

It has come to my attention that XAMPP comes with a security flaw which is exploited through the use of the WebDAV (C:/xampp/webdav) folder. A hacker could upload scripts with malicious code onto your website (a shell for instance or a DoS script), thus gaining full access to the website's files and sometimes on the entire server. Since TFS users have their database credentials in config.lua this, by extension, could give the hacker root access to the database of the victim.

The results of such an attack are serious and it could turn your server into a zombie, mess with your server's database (creating god accounts for instance), getting your server's scripts/modifications/configuration etc. or deface your website.

I won't describe how to exploit this vulnerability and I will go straight into giving you the solution.

Please visit this link to learn how to secure your XAMPP: Apache Friends Support Forum - WebDAV security flaw solution

Or alternatively you can change the password of WebDAV on this file: /xampp/security/webdav.htpasswd

Yours,
Delirium.

P.S: Feel free to PM me if you need assistance.

 

[EliteOTs]

This have been known for a few years (maybe not within OT community)
But thanks for sharing this with the community making people realize maybe they aren't as safe as they believe

Rep++ on that post because of that =)

 

[devianceone]

There are servers still vulnerable to this but most have been patched in the past few months. I suspect because of this post the final servers will get exploited because everybody in the OT community knows about this now. I believe the newest xampp has this issue secured though, I haven't updated mine in awhile.

 

[Rambo]

Rep+

 

[Delirium]

People who are into hacking might know this, not everyone is a hacker though. This announcement is for people who do not know about this vulnerability and use a flawed version of XAMPP.

 

[Machima]

Thanks!

 

[Jano]

old story

 

[Don Daniello]

It seems to be a lot better to configure IIS+PHP and standalone MySQL Server. It's even easier to manage than XAMPP...

(I'll make a tutorial about it later)

 

[Delirium]

It seems to be a lot better to configure IIS+PHP and standalone MySQL Server. It's even easier to manage than XAMPP...

(I'll make a tutorial about it later)

Too much trouble while you can secure XAMPP easily.

 

[dgprado]

Omg very ssstttuuupid vulnerabilit, i think that my dog can hack any server using xampp =o

 

[Ceejzor]

I was hacked by "Delirium group" Scene kids, trying to be cool, stationed in Greece, hmm your from greece Deli and your name matchs.. weird!

 

[Delirium]

I was hacked by "Delirium group" Scene kids, trying to be cool, stationed in Greece, hmm your from greece Deli and your name matchs.. weird!

I didn't deface your website, it's not called Delirium group, it's called Greek Hacking Scene. I used it to prove my point to Talaturen and to check if WebDAV can be indeed exploited. Nothing was touched, secure it and you will be fine

 

[JoccE]

I warned everyone about this like 5 months ago... even made a tutorial how to fix it But as usual... So many haters so i removed it!

 

[hans henrik]

Too much trouble while you can secure XAMPP easily.

apt-get install apache2 libapache2-mod-php5 libapache2-mod-evasive mysql-server
fast(er) secure(er) (d)dos protected

 

[Znote]

And tell me again, why do we support xampp and continue to make tutorials containing xampp?
http://otland.net/f479/nothing-full...niform-server-forgotten-server-0-3-6-a-77593/

I was searching the web, looking for alternatives to XAMPP, because using XAMPP for this Open Tibia community is a really bad habit!

XAMPP is for testing purposes mainly for your local machine, if you get into problems using XAMPP, and posting it at their forum, they will stamp you "IDIOT" in your head, and saying "XAMPP has never been made and probably will never be made for serious hosting".

XAMPP is made for testing purpose. And it is insecure, and heavy.

I was browsing the web, hoping to find an easier installation and use alternative to xampp.

And that is Uniform Server.

Why use Uniform Server instead of XAMPP?
1. Security
2. Lightweight (xampp 51MB, XAMPlite 28MB. Uniform Server 8.75MB).
3. Easier to use.
4. XAMPP got lots of unnecessary features, especially for the Open Tibia community. Despite the small size of Uniform Server, it has all we need.

Installing Uniform Server will give you:
MySQL database.
phpMyAdmin to administrate the MySQL database.
Apache hosting.
PHP 5.3.5+
eAccelerator to make website faster.

XAMPP + Modern AAC = Page rendered in: 0.0554 seconds.
Uniform Server + Modern AAC = Page rendered in: 0.0219 seconds.

Do I need to say more? So lets get started!

 

[JoccE]

And tell me again, why do we support xampp and continue to make tutorials containing xampp?
http://otland.net/f479/nothing-full...niform-server-forgotten-server-0-3-6-a-77593/

There's no idea Znote You will maybe make 1% of the xampp users to move to Uniform

The best thing is the ones that only out for money is the ones using xampp for a fast sulotion ^^ Let them get hacked

 

[Don Daniello]

IIS + PHP is really easy ! Microsoft made 1-click installer ;/

 

[JoccE]

IIS + PHP is really easy ! Microsoft made 1-click installer ;/

Microsofts web server sux

The only thing it's good for is AD based intrawebs and remote desktop services... otherwise it's just crap, just like there SQL server.

 

[Don Daniello]

Microsofts web server sux

The only thing it's good for is AD based intrawebs and remote desktop services... otherwise it's just crap, just like there SQL server.

Of course it is. But it's way better and easier to manage than XAMPP !

 

[Survivoria]

Just simply remove this folder and poff its fixed or am i wrong??
Atleast what i did long time before..