Security Serious vulnerability on XAMPP - Everyone using XAMPP, please read this!

Greetings OTLand members.

It has come to my attention that XAMPP comes with a security flaw which is exploited through the use of the WebDAV (C:/xampp/webdav) folder. A hacker could upload scripts with malicious code onto your website (a shell for instance or a DoS script), thus gaining full access to the website's files and sometimes on the entire server. Since TFS users have their database credentials in config.lua this, by extension, could give the hacker root access to the database of the victim.

The results of such an attack are serious and it could turn your server into a zombie, mess with your server's database (creating god accounts for instance), getting your server's scripts/modifications/configuration etc. or deface your website.

I won't describe how to exploit this vulnerability and I will go straight into giving you the solution.

Please visit this link to learn how to secure your XAMPP: Apache Friends Support Forum - WebDAV security flaw solution

Or alternatively you can change the password of WebDAV on this file: /xampp/security/webdav.htpasswd

Yours,
Delirium.

P.S: Feel free to PM me if you need assistance.

 

[Don Daniello]

@UP
True. That's why we should provide as many tutorials about other possibilities (bare-metal Apache + PHP + MySQL or IIS+PHP + MySQL or UniServer) to decrease the usage of XAMPP among otserver hosters.

 

[sirdeeleon]

i deleted webdav... now gonna stop hacked me? and i go change all password from xammp and change the name of my database ot and change passwords this gonna work?

 

[Evil Puncker]

i deleted webdav... now gonna stop hacked me? and i go change all password from xammp and change the name of my database ot and change passwords this gonna work?

delete xampp, get a "real" webserver and patch gesior exploits (if you use gesior) then maybe you will not be hacked

 

[NAAPV]

Then you might wanna explain to me what was wrong with an IIS I got mass defaced some days ago. It was the latest version, 7.5, isn't it?

This is idiotic (non-)logic. The fact that you're using IIS does not mean that IIS is the source of the security hole the same way that Apache is not the problem when people are running vulnerable versions of Gesior and get hacked.

The claim that "websites hosted on IIS can be defaced with a single click" also makes no sense at all.

 

[Delirium]

This is idiotic (non-)logic. The fact that you're using IIS does not mean that IIS is the source of the security hole the same way that Apache is not the problem when people are running vulnerable versions of Gesior and get hacked.

The claim that "websites hosted on IIS can be defaced with a single click" also makes no sense at all.

Prove me wrong instead of saying I make no sense, that's not a valid argument. Windows doesn't even have a Linux-like rights system. You can have access to every website hosted on IIS by just uploading a shell to one of them. It's not entirely an IIS issue, but it's still something that shouldn't be working that way.

 

[NAAPV]

Prove me wrong instead of saying I make no sense

You've made such a flawed and vague statement that it's impossible to build any sort of argument to disprove it. Your site being defaced does not automatically mean that the security hole existed in the web server you're using. There are many different attack vectors to consider.

Windows doesn't even have a Linux-like rights system.

If you mean file permissions, you couldn't be more wrong. NTFS has a powerful ACL system that is a million times ahead of Linux. (The ext series of filesystems is generally superior, though.)

You can have access to every website hosted on IIS by just uploading a shell to one of them.

And how does this not apply to every other web server in the world? If an attacker is capable of uploading a shell through a hole, obviously they can access whatever the user Apache/PHP is running as can.

(Some solutions such as suexec on Apache exist for making different sites run as different users. I've never used IIS myself but it also seems to have functionality for running different domains under different user accounts.)

It's not entirely an IIS issue

You still haven't provided a single piece of evidence to show that it was an IIS issue at all.

 

[Don Daniello]

Prove me wrong instead of saying I make no sense, that's not a valid argument. Windows doesn't even have a Linux-like rights system. You can have access to every website hosted on IIS by just uploading a shell to one of them.

On stock configuration, my gesior couldn't even read config.lua in TFS dir until I granted him permission to do so. (I still don't like Windows file permissions.)

If you mean file permissions, you couldn't be more wrong. NTFS has a powerful ACL system that is a million times ahead of Linux. (The ext series of filesystems is generally superior, though.)

Great majority of Linux systems uses ext3/ext4 filesystems, so... WTF?!
Btw, good luck scripting changes to file permissions Even if it's possible with powershell, its complexity is "million times ahead of Linux". I prefer old, good octal values.

 

[NAAPV]

Great majority of Linux systems uses ext3/ext4 filesystems, so... WTF?!

What's your point here?

Btw, good luck scripting changes to file permissions

Must be impossible... or not!

its complexity is "million times ahead of Linux". I prefer old, good octal values.

Whatever you prefer has nothing to do with the discussion at hand. My point was that Delirium is wrong - I'm not here to argue whether the file permission system used by Windows is any good.

 

[Don Daniello]

What's your point here?

That you actually contradicted your own statement in one sentence.

 

[NAAPV]

That you actually contradicted your own statement in one sentence.

Would you mind explaining how?

 

[Don Daniello]

If you mean file permissions, you couldn't be more wrong. NTFS has a powerful ACL system that is a million times ahead of Linux. (The ext series of filesystems is generally superior, though.)

I already did.

 

[NAAPV]

I already did.

No, you didn't. How am I contradicting myself here?

 

[Delirium]

You've made such a flawed and vague statement that it's impossible to build any sort of argument to disprove it. Your site being defaced does not automatically mean that the security hole existed in the web server you're using. There are many different attack vectors to consider.



If you mean file permissions, you couldn't be more wrong. NTFS has a powerful ACL system that is a million times ahead of Linux. (The ext series of filesystems is generally superior, though.)



And how does this not apply to every other web server in the world? If an attacker is capable of uploading a shell through a hole, obviously they can access whatever the user Apache/PHP is running as can.

(Some solutions such as suexec on Apache exist for making different sites run as different users. I've never used IIS myself but it also seems to have functionality for running different domains under different user accounts.)



You still haven't provided a single piece of evidence to show that it was an IIS issue at all.

What I am trying to say is that IIS is flawed because it's running on Windows. If IIS was running on Linux too it would be hell better in my opinion than any other webserver out there. Wait, you make no sense at all now. The ACL system of NTFS is million times ahead of Linux but EXT is superior? EXT is superior because it's better than NTFS and permissions is generally the reason why every website on IIS can be defaced with a single click, because you have write access to any folder on it, something that it's almost hard to find on Apache running on Linux for instance.

To sum it up. Most people that run their websites on IIS have it running under an admin user. I've never found a website hosted on Linux running under root.

 

[NAAPV]

Wait, you make no sense at all now. The ACL system of NTFS is million times ahead of Linux but EXT is superior?

What's the problem here? My point is that the permission system on Windows + NTFS is far more powerful, but in overall ext4 is better than NTFS. (Specific differences between NTFS & ext also don't belong to this discussion). Just because Linux & ext4 "lose" at file permissions doesn't mean that ext4 can't be "better".

EXT is superior because it's better than NTFS

This is some grade A argumentation right here.

and permissions is generally the reason why every website on IIS can be defaced with a single click, because you have write access to any folder on it, something that it's almost hard to find on Apache running on Linux for instance. To sum it up. Most people that run their websites on IIS have it running under an admin user. I've never found a website hosted on Linux running under root.

You are full of bullshit.

IIS supports full isolation of different sites to different user accounts. Look up application pools and identities (you'd think that someone who has actually used IIS in production would know this, but apparently not). In fact, Microsoft's own PHP guide also encourages administrators to isolate each site to different application pool & identity.

Apache on Linux doesn't run as root, but in a typical setup each site and its scripts are run as the same user. This means that when one site is compromised, the others can also be defaced at the same time.

 

[Delirium]

What's the problem here? My point is that the permission system on Windows + NTFS is far more powerful, but in overall ext4 is better than NTFS. (Specific differences between NTFS & ext also don't belong to this discussion). Just because Linux & ext4 "lose" at file permissions doesn't mean that ext4 can't be "better".



This is some grade A argumentation right here.



You are full of bullshit.

IIS supports full isolation of different sites to different user accounts. Look up application pools and identities (you'd think that someone who has actually used IIS in production would know this, but apparently not). In fact, Microsoft's own PHP guide also encourages administrators to isolate each site to different application pool & identity.

And no, IIS does not run as the administrator user.

Apache on Linux doesn't run as root, but in a typical setup each site and its scripts are run as the same user. This means that when one site is compromised, the others can also be defaced at the same time.

You're either amazingly ignorant or a liar.

You can deface all websites using Apache on Linux when you upload a kernel exploit inside the server and then compile it inside the box. That's when you can elevate your user's rights to root hence giving you full permissions to every folder inside the box. Apparently, all that you're posting here is information you've read, have you ever checked it yourself? The majority of websites I've defaced using IIS were on the same box and I just needed to get access through a shell to only a single one of them, then, voila! I got the entire webserver owned. It doesn't happen the same way on Apache/nginx/whatever on Linux. You can't get access outside the main website folder unless the server's admin is an idiot.

I can show you a live proof of concept about this if you want.

 

[NAAPV]

You can deface all websites using Apache on Linux when you upload a kernel exploit inside the server and then compile it inside the box. That's when you can elevate your user's rights to root hence giving you full permissions to every folder inside the box.

How many times do I need to repeat myself? In almost every typical Apache & PHP setup, every single PHP script is executed as the same user. As an example, let's call this user www-data (as it is named by default on many distribution packages).

www-data obviously needs to have access to every directory that Apache hosts.

Let's imagine that we have two web sites on this server. One is at example1.com and example2.com. In the server, their contents are located at /srv/example1/ and /srv/example2/. www-data has access to these directories.

example1.com is being used to host an outdated PHP script with a vulnerability. Using this vulnerability, an attacker can upload a shell. Using this shell, the attacker can also access the site as /srv/example2 and vice-versa.

The majority of websites I've defaced using IIS were on the same box and I just needed to get access through a shell to only a single one of them, then, voila! I got the entire webserver owned.

This is user error in configuration and not the fault of IIS. In contrast to the example above, on a IIS instance configured according to Microsoft's recommendations (and common sense), the hole at example1.com will not allow the attacker access to example2.

 

[Don Daniello]

You both fail.

Apache can run with suPHP, thus running all scripts from site1 as one user and site2 as different user.

ISS creates different identity (some sort of different system user) for each application pool IIS is hosting. It means the same as suPHP.

So stop spreading shit.

 

[NAAPV]

You both fail.

Apache can run with suPHP, thus running all scripts from site1 as one user and site2 as different user.

ISS creates different identity (some sort of different system user) for each application pool IIS is hosting. It means the same as suPHP.

So stop spreading shit.

(Some solutions such as suexec on Apache exist for making different sites run as different users. I've never used IIS myself but it also seems to have functionality for running different domains under different user accounts.)

...

 

[Don Daniello]

This is not going anywhere. It seems all server are powerful when they are properly configured and all can work like shit if they're not configured. We didn't invent anything new in that matter.

 

[NAAPV]

This is not going anywhere. It seems all server are powerful when they are properly configured and all can work like shit if they're not configured. We didn't invent anything new in that matter.

Which is what I've pretty much been saying all along. This is the original post that I objected to:

You know how easy it is to mass deface websites hosted on IIS? It's a click n' run job. At least Apache has some sort of security against that.

This is a completely ridiculous and ignorant claim to make. It's just simply false.