Multiple vulnerabilities in XAMPP

Hello 3APA3A!

I want to warn you about multiple security vulnerabilities in XAMPP.

These are Predictable Resource Location, Information Leakage, Cross-Site Scripting and Directory
Traversal vulnerabilities.

Predictable Resource Location:

There are standard paths to resources in XAMPP, which can be used for attack.

http://site/security/ - security service of XAMPP
http://site/xampp/ - admin panel of XAMPP
http://site/phpmyadmin/ - PhpMyAdmin
http://site/webalizer/ - Webalizer

Information Leakage:

http://site/webalizer/

Access to Webalizer is not restricted and taking into account that path to the resource is known,
anyone can gain access to statistic of the site, which can lead to considerable information
leakage, including about different resources at the site.

Information Leakage:

http://site/security/

Security service of XAMPP (XAMPP SECURITY [Security Check 1.0]), if access to it is opened, leads
to information leakage.

It shows information about version of PHP and about status of components of XAMPP, particularly
PhpMyAdmin.

XSS:

http://site/xampp/showcode.php?TEXT[global-showcode]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/xampp/showcode.php?showcode=1&TEXT[global-sourcecode]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Works with register globals on.

Directory Traversal:

http://site/xampp/showcode.php?showcode=1&file=../index.php

Works with register globals on.

Vulnerable are XAMPP 1.6.8 and previous versions. And potentially next versions (including last
version XAMPP 1.7.1).

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/3230/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

!DSPAM:4a5f6843205145557497318!