LCKB ** OLD LCKB DATABASE ** Website Scripting & Security Security Website Security
XAMPP SECURE

Threaded Mode
XAMPP SECURE
dethunter12 Offline
Senior Member
****
Posts: 603
Threads: 73
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: Aug 2011
Reputation: 0
#1
08-06-2012, 04:44 AM

I decided to do some reasearch for those who are lazy and wont use 2 the method i got from the iternet i just wanted to share with u to help make ur xampp more secure

 

 

To change the XAMPP server port number:

Stop the XAMPP server, if it is running already.

Open the file [XAMPP Installation Folder]/apache/conf/httpd.conf.

Now search for the string Listen 80 (I’m assuming that your XAMPP was using the port 80. Otherwise, just search for the string “Listenâ€). This is the port number which XAMPP uses. Change this 80 to any other number which you prefer.

Then search for the string “ServerName†and update the port number there also.

Now save and re-start XAMPP server and you are done.

 

2.

Here, we will learn how to secure your Win XAMPP directories and assign passwords. Below are the basic security setup steps:

1. Launch your favorite browser.

2. Enter the following URL in your address bar: 2

3. You should then see the XAMPP splash page. Click "English." You will then see the XAMPP administrator panel, where you can find the XAMPP status and security configuration settings.

4. Click "Security."

5. XAMPP will then perform a security audit in your Windows system and setup. You will likely see errors; do not panic. Since you have not secured your XAMPP installation yet, you will likely see the following warnings:

These XAMPP pages are accessible by network for everyone -UNSECURE

The MySQL admin user root has NO password - UNSECURE

PhpMyAdmin is free accessible by network - UNSECURE

The FileZilla FTP password is still 'wampp' - UNSECURE

PHP is NOT running in "safe mode" – UNSECURE

A POP3 server like Mercury Mail is not running or is blocked by a firewall! - Unknown

7. The priority items to be fixed are: Directory Permissions, MySQL Password and PHPMyAdmin. Click the link: 2/security/xamppsecurity.php that appears below the warning messages.

8. Under the MySQL section: “Root†Password, assign a new password and make sure to take note of it by writing it down in a safe location. Select “cookie†for PHPMyAdmin authentication.

Warning: Do NOT check “Save plain password in text file?â€

Click “Password Changing.†You should then see: “The root password was successfully changed. Please restart MYSQL for loading these changes!â€

9. To restart MySQL, go to the XAMPP Control panel (screenshot shown previously). Click “Stop†for MySQL. This will stop the MySQL service. It should look like the image below:

Click the “Start†button again to restart MySQL and implement your new password settings. If you see “running†under MySQL service, it has successfully restarted.

10. Now go back to the XAMPP security page (2/security/index.php). Let’s secure the XAMPP directory by implementing “Directory protection (.htaccess).â€

First, enter the desired username and password under “XAMPP DIRECTORY PROTECTION (.htaccess).†Take note of these credentials and write them down in a safe location.

Warning: Do NOT check the “Safe plain password in text file?â€

Now, click “Make Safe the XAMPP directory.†If the changes are successful, you should see the message:

SUCCESS: The XAMPP directory is protected now! All personal data was saved in the following file:

C:\xampp\security\xampp.users

C:\xampp\htdocs\xampp\.htaccess

The password gets encrypted once it is stored in that location.

11. You can stop the “Filezilla†service in the XAMPP Control panel, as it is not required to test applications. The two most important services for developing web applications are Apache and MySQL. These should not be disabled if you want to properly test your applications locally.

 

 

3.File uploader:

1) If you have a file uploader, then make sure you have coded 'Available File Extensions'.

 

2) Make sure nobody knows what the folder's path is.

 

Reason:

1) If you don't have any 'Available File Extensions' then people can just upload c99 shell or what so ever and hack your site.

 

2) Well here, if you also don't have 'Available File Extensions', people can simply upload a shell and find the local path then hack the website.

 

 

2 - How to secure people from sql injecting (PMA):

Well here there is several ways on how to secure people from sql injecting your PMA.

 

The most simple is, not to allow any I.P Address access PMA which is in the Drive:\xampp\apache\conf\extra\httpd-xampp.conf file.

At the bottom line(s) you will find something saying:

"Order deny,allow

Deny from all

Allow from all"

 

If you put "#" infront of "Deny from all" then it will automathicly allow from all. And there is the problem, then people can go to PMA via their own PC.

So its simple, do not do that. But if you are running PHPRetro, then read the next tutorial on how to secure it which is right under this one LOL.

 

___________________

Here is the other tutorial on how to secure your site from being SQL injected via PMA.

 

You go to Drive:\xampp and find a folder called: "PHPMyAdmin", change it to whatever you wan't but something safe that nobody would ever think of like: "This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker" LOL.

Well after changing path to folder you will probably see you can't access 2 anywhere.

Here is the fix on how to make it able to access even with another folder name:

 

Go to Drive:\xampp\apache\conf\extra\httpd-xampp.conf and find the bottom line. Here is the lines you will have to change (well actually only 3 lines.. **THIS IS ONLY IF YOU HAVE ALLOWED PEOPLE FROM ENTERING ALL SITES THE #Deny from all" THING YOU READ BEFORE):

 

 

 

 

 

Alias /phpmyadmin "C:/xampp/phpMyAdmin/"

< Directory "C:/xampp/phpMyAdmin">

AllowOverride AuthConfig

< /Directory>

 

Alias /webalizer "C:/xampp/webalizer/"

< Directory "C:/xampp/webalizer">

< IfModule php5_module>

< Files "webalizer.php">

php_admin_flag safe_mode off

< /Files>

< /IfModule>

AllowOverride AuthConfig

< /Directory>

< /IfModule>

 

#

# New XAMPP security concept

#

< LocationMatch "^/(?iSad?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">

Order deny,allow

#Deny from all

Allow from ::1 127.0.0.0/8 \

fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \

fe80::/10 169.254.0.0/16

 

ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var

< /LocationMatch>

So we will have to change everywhere where it says: phpmyadmin . So it will look like this actually (If you used the folder name i just made before):

 

 

 

 

 

Alias /This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker "C:/xampp/This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker/"

< Directory "C:/xampp/This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker">

AllowOverride AuthConfig

< /Directory>

 

Alias /webalizer "C:/xampp/webalizer/"

< Directory "C:/xampp/webalizer">

< IfModule php5_module>

< Files "webalizer.php">

php_admin_flag safe_mode off

< /Files>

< /IfModule>

AllowOverride AuthConfig

< /Directory>

< /IfModule>

 

#

# New XAMPP security concept

#

< LocationMatch "^/(?iSad?:xampp|security|licenses|This-Is-Not-PMA-So-Do-Not-Go-Here-Any-Hacker|webalizer|server-status|server-info))">

Order deny,allow

#Deny from all

Allow from ::1 127.0.0.0/8 \

fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \

fe80::/10 169.254.0.0/16

 

ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var

< /LocationMatch>

So you see how easy it is? Just simply change everywhere where it says: "phpmyadmin" to the new folder name of your phpmyadmin folder.

 

 

 

i hope u will enjoy it makes ur xampp more secure from hackers

Find
barroso
Unregistered
 
#2
08-06-2012, 07:03 PM
Warmonger do you if the EasyPHP is good to seput the mysql and apache?


Forum Jump:


Users browsing this thread: 1 Guest(s)