Open-source web servers, especially Apache HTTP servers, have seen a tremendous increase in the number of vulnerabilities that hackers have consistently exploited since 2017. Hackers exploit various vulnerabilities to attack web servers, with one of the targets being web servers installed as software packages. This article shows how to detect web server vulnerabilities caused by software packages, exposed default pages, and configuration files using Criminal IP Asset Search.

What are Web Server Software Packages? (XAMPP, Wamp, LAMP)

Apache HTTP web servers are often installed in packages such as XAMPP, Wamp, and LAMP rather than as standalone.

APM refers to the web server Apache, server-side language PHP, database management system (DBMS) MySQL and Maria DB. AMP is another term used to describe the same three combinations of software. 

When building a web server, all three software mentioned above are usually installed; therefore, the web server installation package is used for time efficiency.

XAMPP, One of the Web Server Installation Packages
XAMPP, One of the Web Server Installation Packages

XAMMP stands for X(Cross-platform), A(Apache), M(MariaDB), P(PHP), and P(Perl), and it includes not only APM but also other programs needed for the web server.

Many developers use XAMPP because of its constant updates and inclusion of many add-ons like WordPress and MediaWiki. 

Exposure of Web Server Software Package Installation Complete Page 

When targeting a web server installed as a software package, hackers search for information about the web server. From this, the page they choose to exploit is the installation complete default page. If this default page is exposed to the internet, that in itself can become a web server vulnerability. 

How to Search for Exposed XAMPP Web Server 

We can search for the XAMPP software package-installed Apache HTTP web server default page by searching the HTML title as shown below.

Search Query : title: “Welcome to XAMPP”

Search Results for XAMPP Software Package Default Page on Criminal IP Asset Search
Search Results for XAMPP Software Package Default Page on Criminal IP Asset Search

When you connect to one of the 72,000 web servers searched, you will be connected to the default XAMPP installation complete page as shown below. In the upper right corner, there is a menu to access PHPInfo and phpMyAdmin pages. 

An Exposed XAMPP Software Package Installation Completed Default Page
 An Exposed XAMPP Software Package Installation Completed Default Page

Clicking on the PHP Info in the top right corner will allow you to check the results of executing the phpinfo() function of the webserver.

PHP Info Page Accessed Through Exposed XAMPP Default Page
PHP Info Page Accessed Through Exposed XAMPP Default Page

Furthermore, clicking on the phpMyAdmin menu in the top right corner will take you to a login page where you can log in as an administrator.

phpMyAdmin Page Accessed Through Exposed XAMPP Default Page
phpMyAdmin Page Accessed Through Exposed XAMPP Default Page

How to Search for Exposed WAMP Web Server 

The software package-installed web server vulnerability that exposes default pages is not limited to XAMPP. WAMP and LAMP have exposed web server default pages; you can detect them through the OSINT search engine in a similar way.

Search Query : title: “WAMP5 Homepage”
Search Query : title: “WAMPSERVER Homepage”

Search Result for WAMP Server Default Page Using Criminal IP Asset Search
Search Result for WAMP Server Default Page Using Criminal IP Asset Search
Exposed WAMP Server Default Page
Exposed WAMP Server Default Page

How to Search for Exposed LAMP Web Server

Exposed LAMP Server Default Page
Exposed LAMP Server Default Page

Searching for Web Server Configuration Details Using Directory Index  

There are instances where configuration files are found and exploited using an exposed directory index. The image below shows a real-life example of a software package XAMPP-installed web server’s configuration file being exposed.

The configuration file named ‘httpd-xampp.conf’ contains various information related to running the XAMPP-installed httpd web server. 

Directory Index of Exposed XAMPP Software Package-installed Web Server
Directory Index of Exposed XAMPP Software Package-installed Web Server

If you open the file ‘httpd-xampp.conf’, you can see the setting details of the XAMPP web server.

File 'httpd-xampp.conf' Discovered on Exposed Directory Index. Shows Setting Details of XAMPP Web Server
 File ‘httpd-xampp.conf’ Discovered on Exposed Directory Index. Shows Setting Details of XAMPP Web Server

Precautions When Installing Open Source Software Package

As such, hackers will collect all sorts of OSINT information and search for web server vulnerabilities. Therefore, when using open-source web server software, it is important to check whether the default page containing web server information and the directory index page containing configuration files are not exposed. 

If the URL of the main page or directory index page is accessible to everyone on the internet, you must either change the admin settings of the exposed configuration file or change the web server preference settings. 

Please refer to our article about security vulnerabilities that alter exposed NGINX configuration files and how you can detect them.

Source : Criminal IP (https://www.criminalip.io)

Related Article :

Security Vulnerabilities That Alters Exposed NGINX Configuration Files