Metasploit mailing list archives
Many "Xampp for Windows"-Versions using well known default PW for WebDAV-Service
From: Oliver Kleinecke <okleinecke () web de>
Date: Wed, 30 Jun 2010 13:24:29 +0200 (CEST)
Hello Metasploit-Team & Users, while securing a tinier network, I fell over a massively spreaded default-PW for the WebDAV-Service of XAMPP for Windows. Since the WebDAV-service is installed & activated by default in many Versions, with a documented default PW (wampp:xampp) and XAMPP supports PHP too, of course, this is a really,really bad thing. This could be abused over WAN too, and I suppose there are quite a lot of WebServers running this Software (-.-). In some Versions, the "Security-Page" doesn`t even tell the admin to change that default PW. Even more problematic is the fact, that WebServers running the affected versions are easy to identify, since the webserver-banners are unique enough. I do know, that there are some really nice modules available for WebDAV, but they are mostly focussed on IIS & ASP, bypassing the required auth. Perhaps this one is interesting enough to integrate it to the current modules or to make a separate module for it? Nearly any Version from XAMPP 1.6.8 to 1.7.x is affected. I`m afraid I am pretty busy right now, but if you agree that this is as severe as I think it is, I will try to write a module myself, though anyone else could write it a lot better/quicker than me, I suppose. Best regards from Germany, Oliver ___________________________________________________________ GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! Jetzt freischalten unter http://movieflat.web.de _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Many "Xampp for Windows"-Versions using well known default PW for WebDAV-Service Oliver Kleinecke (Jun 30)