mailing list archives
Many "Xampp for Windows"-Versions using well known default PW for WebDAV-Service
From: Oliver Kleinecke <okleinecke () web de>
Date: Wed, 30 Jun 2010 13:24:29 +0200 (CEST)
Hello Metasploit-Team & Users,
while securing a tinier network, I fell over a massively spreaded default-PW for the WebDAV-Service of XAMPP for
Windows. Since the WebDAV-service is installed & activated by default in many Versions, with a documented default PW
(wampp:xampp) and XAMPP supports PHP too, of course, this is a really,really bad thing. This could be abused over WAN
too, and I suppose there are quite a lot of WebServers running this Software (-.-). In some Versions, the
"Security-Page" doesn`t even tell the admin to change that default PW. Even more problematic is the fact, that
WebServers running the affected versions are easy to identify, since the webserver-banners are unique enough.
I do know, that there are some really nice modules available for WebDAV, but they are mostly focussed on IIS & ASP,
bypassing the required auth. Perhaps this one is interesting enough to integrate it to the current modules or to make a
separate module for it? Nearly any Version from XAMPP 1.6.8 to 1.7.x is affected. I`m afraid I am pretty busy right
now, but if you agree that this is as severe as I think it is, I will try to write a module myself, though anyone else
could write it a lot better/quicker than me, I suppose.
Best regards from Germany,
GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de
- Many "Xampp for Windows"-Versions using well known default PW for WebDAV-Service Oliver Kleinecke (Jun 30)