Home page logo

metasploit logo Metasploit mailing list archives

Many "Xampp for Windows"-Versions using well known default PW for WebDAV-Service
From: Oliver Kleinecke <okleinecke () web de>
Date: Wed, 30 Jun 2010 13:24:29 +0200 (CEST)

Hello Metasploit-Team & Users,

while securing a tinier network, I fell over a massively spreaded default-PW for the WebDAV-Service of XAMPP for 
Windows. Since the WebDAV-service is installed & activated by default in many Versions, with a documented default PW 
(wampp:xampp) and XAMPP supports PHP too, of course, this is a really,really bad thing. This could be abused over WAN 
too, and I suppose there are quite a lot of WebServers running this Software (-.-). In some Versions, the 
"Security-Page" doesn`t even tell the admin to change that default PW. Even more problematic is the fact, that 
WebServers running the affected versions are easy to identify, since the webserver-banners are unique enough.

I do know, that there are some really nice modules available for WebDAV, but they are mostly focussed on IIS & ASP, 
bypassing the required auth. Perhaps this one is interesting enough to integrate it to the current modules or to make a 
separate module for it? Nearly any Version from XAMPP 1.6.8 to 1.7.x is affected. I`m afraid I am pretty busy right 
now, but if you agree that this is as severe as I think it is, I will try to write a module myself, though anyone else 
could write it a lot better/quicker than me, I suppose.

Best regards from Germany,


GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de

  By Date           By Thread  

Current thread:
  • Many "Xampp for Windows"-Versions using well known default PW for WebDAV-Service Oliver Kleinecke (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]