• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security Serious vulnerability on XAMPP - Everyone using XAMPP, please read this!

Greetings OTLand members.

It has come to my attention that XAMPP comes with a security flaw which is exploited through the use of the WebDAV (C:/xampp/webdav) folder. A hacker could upload scripts with malicious code onto your website (a shell for instance or a DoS script), thus gaining full access to the website's files and sometimes on the entire server. Since TFS users have their database credentials in config.lua this, by extension, could give the hacker root access to the database of the victim.

The results of such an attack are serious and it could turn your server into a zombie, mess with your server's database (creating god accounts for instance), getting your server's scripts/modifications/configuration etc. or deface your website.

I won't describe how to exploit this vulnerability and I will go straight into giving you the solution.

Please visit this link to learn how to secure your XAMPP: Apache Friends Support Forum - WebDAV security flaw solution

Or alternatively you can change the password of WebDAV on this file: /xampp/security/webdav.htpasswd

Yours,
Delirium.

P.S: Feel free to PM me if you need assistance.
 
Last edited:
Who runs apache under root? windows xampp users that dont know wtf they'r doing.
Who runs iis under root? since... some update (check wikipedia for more info), microsoft made iis switch to its own limited account automatically.. (like apache2 does under most linux distros since forever... check the members of www-data)
 
Who runs apache under root? windows xampp users that dont know wtf they'r doing.
Who runs iis under root? since... some update (check wikipedia for more info), microsoft made iis switch to its own limited account automatically.. (like apache2 does under most linux distros since forever... check the members of www-data)

Since when Windows have root?
 
This have been known for a few years (maybe not within OT community)
But thanks for sharing this with the community making people realize maybe they aren't as safe as they believe


1.jpg

2.jpg

5.jpg
 
zzzz

Greetings OTLand members.

It has come to my attention that XAMPP comes with a security flaw which is exploited through the use of the WebDAV (C:/xampp/webdav) folder. A hacker could upload scripts with malicious code onto your website (a shell for instance or a DoS script), thus gaining full access to the website's files and sometimes on the entire server. Since TFS users have their database credentials in config.lua this, by extension, could give the hacker root access to the database of the victim.

The results of such an attack are serious and it could turn your server into a zombie, mess with your server's database (creating god accounts for instance), getting your server's scripts/modifications/configuration etc. or deface your website.

I won't describe how to exploit this vulnerability and I will go straight into giving you the solution.

Please visit this link to learn how to secure your XAMPP: Apache Friends Support Forum - WebDAV security flaw solution

Yours,
Delirium.

P.S: Feel free to PM me if you need assistance.

Nice one, but kind of a buzzkill =( To be honest, not to be a btch or something but ppl should learn for themselves, nowadays 99% of all OT-hosters are fcking noobs who has no knowledge at all.. Guess my noobpwning days are soon to be over >.> xD
 
Back
Top