XAMPP change administrative password: -------------------------------------------------------------------------------- Written by Michael Brooks special thanks to str0ke Affects XAMPP 1.6.8. homepage: http://www.apachefriends.org/ XAMPP has 17+ million downloads from sourceforge.net. register_globals=On or Off This attack is exploitable even when this page is reporting a fully secure system: There are two vulnerabilities that are being used toagther. 1)Global variable manipulation to spoof ip address. 2)XSRF to change the .htaccess password for and . The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and this cannot normally be spoofed. However extract($_POST); can be used to overwrite any declared variable, including the $_SERVER superglobal. This can be used to "spoof" your ip address as This xsrf attack can be exploited from a browser in any ip address, so long as that browser is currently authenticated. This vulnerable code is from the very top of: /security/xamppsecurity.php FORBIDDEN FOR CLIENT $REMOTE_ADDR

"; exit; } } //... //Start of xsrf attack
//End of xsrf attack # milw0rm.com [2008-12-08]