• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security Serious vulnerability on XAMPP - Everyone using XAMPP, please read this!

Greetings OTLand members.

It has come to my attention that XAMPP comes with a security flaw which is exploited through the use of the WebDAV (C:/xampp/webdav) folder. A hacker could upload scripts with malicious code onto your website (a shell for instance or a DoS script), thus gaining full access to the website's files and sometimes on the entire server. Since TFS users have their database credentials in config.lua this, by extension, could give the hacker root access to the database of the victim.

The results of such an attack are serious and it could turn your server into a zombie, mess with your server's database (creating god accounts for instance), getting your server's scripts/modifications/configuration etc. or deface your website.

I won't describe how to exploit this vulnerability and I will go straight into giving you the solution.

Please visit this link to learn how to secure your XAMPP: Apache Friends Support Forum - WebDAV security flaw solution

Or alternatively you can change the password of WebDAV on this file: /xampp/security/webdav.htpasswd

Yours,
Delirium.

P.S: Feel free to PM me if you need assistance.
 
Last edited:
It's not the OS that is bugged, it's the application. You can find similar vulnerabilities on Linux based OSes too.
Not quite so. That's why there are stable, testing, unstable and experimental packages. It's (almost) impossible to find vulnerability in application from stable repository bit in case of that, you get security updates. On Linux OS, the user is the vulnerability...
 
Not quite so. That's why there are stable, testing, unstable and experimental packages. It's (almost) impossible to find vulnerability in application from stable repository bit in case of that, you get security updates. On Linux OS, the user is the vulnerability...

Nothing is unhackable and there's no application that has no security flaw. And the vulnerability you mentioned is the biggest one that exists with no fix patch, the human being.
 
Nothing is unhackable and there's no application that has no security flaw.
And we all are gonna die die die...

---
We're not talking about 100% certainty, but the claimed and most probable case. Only death and taxes are for sure.
 
And we all are gonna die die die...

---
We're not talking about 100% certainty, but the claimed and most probable case. Only death and taxes are for sure.

You're making absolutely no sense at all.

The OS doesn't matter here - the same vulnerability will exist on both Windows and Linux if the same flawed configuration is used.
 
You're making absolutely no sense at all.

The OS doesn't matter here - the same vulnerability will exist on both Windows and Linux if the same flawed configuration is used.
You don't get it...
Debian won't ship flawed configuration because all packages are tested long enough before they go into stable branch.
Noone tests any windows packages apart from XAMPP team itself, so flawed configuration may happen.

Maybe OS doesn't matter, but OS' Policy does. Debian's Policy is very strict.
 
You don't get it...
Debian won't ship flawed configuration because all packages are tested long enough before they go into stable branch.
Noone tests any windows packages apart from XAMPP team itself, so flawed configuration may happen.

Maybe OS doesn't matter, but OS' Policy does. Debian's Policy is very strict.

Installing XAMPP on Windows is the exact same thing as installing XAMPP on Linux: in both cases, you're installing them from outside the package repositories. The same way that stable packages are well tested in Debian, installing IIS and its updates from Windows Update will not give you a flawed configuration by default.

User error is the only vulnerability here. XAMPP is a poor piece of software.

In addition, considering Debian's track record, I wouldn't call their "testing policies" that great...
 
Installing XAMPP on Windows is the exact same thing as installing XAMPP on Linux: in both cases, you're installing them from outside the package repositories. The same way that stable packages are well tested in Debian, installing IIS and its updates from Windows Update will not give you a flawed configuration by default.

User error is the only vulnerability here. XAMPP is a poor piece of software.

In addition, considering Debian's track record, I wouldn't call their "testing policies" that great...

True.
It didn't even come to my mind that someone may install XAMPP on Linux when it's so easy to install Apache, PHP and MySQL server from packages.
I also wrote on the previous page that it's much better to simply use IIS+PHP, and we agree that XAMPP is a crapware.
 
You know how easy it is to mass deface websites hosted on IIS? It's a click n' run job. At least Apache has some sort of security against that.
 
You know how easy it is to mass deface websites hosted on IIS? It's a click n' run job. At least Apache has some sort of security against that.

This is bullshit. Keep IIS updated and you have nothing to worry about.
 
This is bullshit. Keep IIS updated and you have nothing to worry about.

Then you might wanna explain to me what was wrong with an IIS I got mass defaced some days ago. It was the latest version, 7.5, isn't it?
 
Then you might wanna explain to me what was wrong with an IIS I got mass defaced some days ago. It was the latest version, 7.5, isn't it?
Every webserver can be brought down. We (I hope) won't argue here about the variety of configurations and stability measures.
We just came to the fact that Apache and IIS are shipped with "secure" configuration and XAMPP provides us flawed one. XAMPP sucks. No need to push further.
 
Every webserver can be brought down. We (I hope) won't argue here about the variety of configurations and stability measures.
We just came to the fact that Apache and IIS are shipped with "secure" configuration and XAMPP provides us flawed one. XAMPP sucks. No need to push further.

Something we do agree to ;) At least IIS is better secured than the others.
 
Every webserver can be brought down. We (I hope) won't argue here about the variety of configurations and stability measures.
We just came to the fact that Apache and IIS are shipped with "secure" configuration and XAMPP provides us flawed one. XAMPP sucks. No need to push further.
XAMPP does not sucks. It was made for developers, not as a stable and secure product.
http://www.apachefriends.org/en/xampp.html said:
The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment.
If people are stupid enough to keep using it as their production web/mysql server after reading XAMPP's own philosophy, I'm terribly sorry to say but XAMPP is not the problem, it's kinda obvious that the problem here is their own stupidity and/or laziness.</statingtheobvious>

To be honest, I like XAMPP. I use it whenever I'm on Windows (which is rarely). But I use it as it is intended to be used.


#Thread:
Thanks for the info.
 
Last edited:
Back
Top