Welcome!

Join our community of MMORPG enthusiasts and private server developers! By registering, you'll gain access to in-depth discussions on source codes, binaries, and the latest developments in MMORPG server files. Collaborate with like-minded individuals, explore tutorials, and share insights on building and optimizing private servers. Join us today and unlock the full potential of MMORPG server development!

Join Today!

How to secure XAMPP (90%)

Status
Not open for further replies.
Newbie Spellweaver
Joined
Sep 12, 2011
Messages
44
Reaction score
1
Location
Denmark
Hey, so i've seen a few hotels which is running on XAMPP.
Here is a little guide on how you can secure your hotel while using xampp.

It is very simple steps, even a noob (no offence) should be able to do this.
This works of course for every version of hotels :). It also works for any other stuff you might make or whatever.

I: Information.
II: Tutorial LIST.
III: Guide(s).
IIII: Credits.
________________________________________________________

I - Information:
Well as i said before, this is a simple tutorial on how to secure your hotel or any other stuff you use xampp for 90%. I cannot help with securing xampp so it is DDoS'free.

II - Tutorial LIST:
1: How to secure people from uploading shells.
2: How to secure people from sql injecting (PMA).
3: How to secure your hotel from hackers.

III - Guide(s):
1 - How to secure people from uploading shells:
Connecting to xampp:
Delete "WebDav" folder from your xampp folder. (Drive:\xampp\webdav)

Reason: People (usually beginner hackers) can log in to your webdav folder (using username: "webdav" password: "wampp"/"xampp") and upload anything they wan't, delete anything, download ect. They can also navigate around your VPS/Dedi/PC when they have connected to webdav, so this is pretty dangerous having webdav in your xampp folder.

File uploader:
1) If you have a file uploader, then make sure you have coded 'Available File Extensions'.

2) Make sure nobody knows what the folder's path is.

Reason:
1) If you don't have any 'Available File Extensions' then people can just upload c99 shell or what so ever and hack your site.

2) Well here, if you also don't have 'Available File Extensions', people can simply upload a shell and find the local path then hack the website.


2 - How to secure people from sql injecting (PMA):
Well here there is several ways on how to secure people from sql injecting your PMA.

The most simple is, not to allow any I.P Address access PMA which is in the Drive:\xampp\apache\conf\extra\httpd-xampp.conf file.
At the bottom line(s) you will find something saying:
"Order deny,allow
Deny from all
Allow from all"

If you put "#" infront of "Deny from all" then it will automathicly allow from all. And there is the problem, then people can go to PMA via their own PC.
So its simple, do not do that. But if you are running PHPRetro, then read the next tutorial on how to secure it which is right under this one LOL.

___________________
Here is the other tutorial on how to secure your site from being SQL injected via PMA.

You go to Drive:\xampp and find a folder called: "PHPMyAdmin", change it to whatever you wan't but something safe that nobody would ever think of like: "This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker" LOL.
Well after changing path to folder you will probably see you can't access anywhere.
Here is the fix on how to make it able to access even with another folder name:

Go to Drive:\xampp\apache\conf\extra\httpd-xampp.conf and find the bottom line. Here is the lines you will have to change (well actually only 3 lines.. **THIS IS ONLY IF YOU HAVE ALLOWED PEOPLE FROM ENTERING ALL SITES THE #Deny from all" THING YOU READ BEFORE):

Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
<Directory "C:/xampp/phpMyAdmin">
AllowOverride AuthConfig
</Directory>

Alias /webalizer "C:/xampp/webalizer/"
<Directory "C:/xampp/webalizer">
<IfModule php5_module>
<Files "webalizer.php">
php_admin_flag safe_mode off
</Files>
</IfModule>
AllowOverride AuthConfig
</Directory>
</IfModule>

#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8 \
fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
fe80::/10 169.254.0.0/16

ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

So we will have to change everywhere where it says: phpmyadmin :). So it will look like this actually (If you used the folder name i just made before):

Alias /This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker "C:/xampp/This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker/"
<Directory "C:/xampp/This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker">
AllowOverride AuthConfig
</Directory>

Alias /webalizer "C:/xampp/webalizer/"
<Directory "C:/xampp/webalizer">
<IfModule php5_module>
<Files "webalizer.php">
php_admin_flag safe_mode off
</Files>
</IfModule>
AllowOverride AuthConfig
</Directory>
</IfModule>

#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker|webalizer|server-status|server-info))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8 \
fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
fe80::/10 169.254.0.0/16

ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

So you see how easy it is? Just simply change everywhere where it says: "phpmyadmin" to the new folder name of your phpmyadmin folder.



3 - How to secure your hotel from hackers:

There are several ways to avoid hackers, here are a few from my mind:

1: Work together with them.
2: Learn how to hack and then they won't be after you.
3: Pretend like you are one and then they will (SOMETIMES) be afraid of you and they will right away go.
4: Ban them from your website.
5: Just let them be there.

III - Credits:
Procrastinaire (ME) 60% = The whole thread & discovering how to.
Lee (Not on ragezone sorry..) 20% = Testing everything.
vA (noobs *NO OFFENCE*) 20% = When Lee tested it, vA tried to hack us. (Notice: It didn't work, Haha!)


Not to be mean, but vA wouldn't know how to hack even if they got 1,000+ Tutorials :).
Thanks for reading this tutorial, i really appreciate it!
 
There is no point using XAMPP, why not use Zend Server CE instead?
Anyway, pretty good tutorial, people who still use XAMPP should read this.
 
Status
Not open for further replies.
Back