Bugtraq mailing list archives
Re: Multiple vulnerabilities in XAMPP (advisory #7)
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 6 Feb 2010 23:56:39 +0200
Hello Sebastien! You can confirm it by yourself. Just find a site on XAMPP (Google can help you with it) and check the holes using PoCs which I provided.
and what target of xampp is it ? win32 ? linux ?
As far as I remember last year when I found all these vulnerabilities in XAMPP, it was XAMPP on Windows servers on all those sites where I found these holes. In 99% of cases I'm researching vulnerabilities in the Web at real sites, not at localhost (at localhost I can check for holes only in software which I use). And I had never used XAMPP (or WAMPP or LAMPP) and I checked all these holes at real web sites. So in all my advisories I wrote "Vulnerable are XAMPP 1.6.8 and previous versions", because maximum version which I found was 1.6.8. And it was quite possible that version 1.7.1 (last version at that time) was also vulnerable, so I mentioned about it in my advisories. And XAMPP developers didn't refute existence of vulnerabilities in 1.7.0 and 1.7.1, when I informed them, and didn't answer if they fixed the holes (so it's possible that these holes are still not fixed). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: S?bastien H?nar?s
To: MustLive Cc: advisories () intern0t net ; bugtraq () securityfocus com Sent: Friday, February 05, 2010 1:19 AM Subject: Re: Multiple vulnerabilities in XAMPP (advisory #7) Hello people, can a secondary source confirm the vuln please ? and what target of xampp is it ? win32 ? linux ? 2010/2/4 MustLive <mustlive () websecurity com ua> Hello MaXe! Have you checked the newest aka (also known as) latest version which is actually: 1.7.3 ? No, I didn't and there was a reason for it. All these 7 advisories were made in 2009 (as it clear from Timeline which I made for all advisories). Only now I sent them to Bugtraq. And that time XAMPP 1.7.1 was the latest version. Besides, in 2009 developer of XAMPP answered me (with thanks) only at one of seven letters and he didn't mention about fixing any of holes which I found. So there is possibility that all or some of these holes are still not fixed. I'm rarely sending advisories about vulnerabilities to Bugtraq. During 2007-2010 I sent only small amount of my advisories to Bugtraq. From the end of 2006 I was sending all holes (http://securityvulns.ru/source15611.html) which I found to securityvulns.ru (securityvulns.com) and 3APA3A, admin of these sites, sometimes sent some of them to Bugtraq. Last month I drew attention that he didn't write to Bugtraq about all these holes in XAMPP, so I decided to write about them by myself :-). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Current thread:
- Re: Multiple vulnerabilities in XAMPP (advisory #7) MustLive (Feb 04)
- Message not available
- Re: Multiple vulnerabilities in XAMPP (advisory #7) MustLive (Feb 08)
- Message not available