Open-source web servers, especially Apache HTTP server, has seen an tremendous increase in the number of vulnerabilities which hackers have been consistently exploiting since 2017. Hackers exploit various vulnerabilities to attack web servers, with one of the targets being web servers installed as software packages. This article shows how to detect web server vulnerabilities caused by software package bundles, exposed default pages and configuration files using Criminal IP Asset Search.
What are Web Server Software Packages? (XAMPP, Wamp, LAMP)
APM refers to the web server Apache, server-side language PHP, database management system (DBMS) MySQL and Maria DB. AMP is another term used to describe the same 3 combination of softwares.
When building a web server, the aforementioned softwares are usually installed therefore web server installation software package is used for time efficiency.
XAMMP stands for X(Cross-platform), A(Apache), M(MariaDB), P(PHP), P(Perl) and it includes not only APM but also other programs needed for the web server.
Many developers use XAMPP because of its constant updates and inclusion of many add-ons like WordPress and MediaWiki.
Exposure of Web Server Software Package Installation Complete Page
When targeting a web server installed as a software package, hackers search for information about the web server. From this, the page they choose to exploit is the installation complete default page. If this default page is exposed to the internet, that in itself can become a web server vulnerability.
How to Search for Exposed XAMPP Web Server
We can search for the XAMPP software package-installed Apache HTTP web server default page by searching the HTML title as shown below.
Search Query : title: “Welcome to XAMPP”
When accessing one of the 72,000 web servers that resulted from the search, it takes you a XAMPP-installed default page. On the top right corner, there is a menu where you can access PHPInfo and phpMyAdmin pages.
Clicking on the PHP Info on the top right corner will allow you to check the execution results of phpinfo() function of the webserver.
Furthermore, clicking on phpMyAdmin menu on the top right corner will take you to a login-page where you can log-in as an administrator.
How to Search for Exposed WAMP Web Server
The software package-installed web server vulnerability that exposes default pages is not limited to XAMPP. WAMP and LAMP can also detect exposed web server default pages through OSINT search engine in a similar way.
Search Query : title: “WAMP5 Homepage”
Search Query : title: “WAMPSERVER Homepage”
How to Search for Exposed LAMP Web Server
Search Query : title: LAMP stack installation scripts by Teddysun
Searching for Web Server Configuration Details Using Directory Index
There are instances where configuration files are found and exploited using an exposed directory index. The image below shows a real-life example of a software package XAMPP-installed web server’s configuration file being exposed.
The configuration file named ‘httpd-xampp.conf’ contains various information related to running the XAMPP-installed httpd web server.
If you open the file ‘httpd-xampp.conf’, you can see the setting details of the XAMPP web server.
Precautions When Installing Open-Source Software Package Bundle
As such, hackers will collect all sorts of OSINT information and search for web server vulnerabilities. Therefore, when using open-source web server software, it is important to check that the directory index, where the default page and configuration file that contains the web server information, are not exposed.
If the URL of the main page or directory index page is accessible to everyone on the internet, you must either change the admin settings of the exposed configuration file or change the web server preference settings.
Please feel free to refer to our article that talks about security vulnerabilities that alters exposed NGINX configuration files and how you can detect it.
Source : Criminal IP(https://www.criminalip.io)
Related Article :