Open-source web servers, especially Apache HTTP servers, have seen a tremendous increase in the number of vulnerabilities that hackers have consistently exploited since 2017. Hackers exploit various vulnerabilities to attack web servers, with one of the targets being web servers installed as software packages. This article shows how to detect web server vulnerabilities caused by software packages, exposed default pages, and configuration files using Criminal IP Asset Search.
What are Web Server Software Packages? (XAMPP, Wamp, LAMP)
Apache HTTP web servers are often installed in packages such as XAMPP, Wamp, and LAMP rather than as standalone.
APM refers to the web server Apache, server-side language PHP, database management system (DBMS) MySQL and Maria DB. AMP is another term used to describe the same three combinations of software.
When building a web server, all three software mentioned above are usually installed; therefore, the web server installation package is used for time efficiency.

XAMMP stands for X(Cross-platform), A(Apache), M(MariaDB), P(PHP), and P(Perl), and it includes not only APM but also other programs needed for the web server.
Many developers use XAMPP because of its constant updates and inclusion of many add-ons like WordPress and MediaWiki.
Exposure of Web Server Software Package Installation Complete Page
When targeting a web server installed as a software package, hackers search for information about the web server. From this, the page they choose to exploit is the installation complete default page. If this default page is exposed to the internet, that in itself can become a web server vulnerability.
How to Search for Exposed XAMPP Web Server
We can search for the XAMPP software package-installed Apache HTTP web server default page by searching the HTML title as shown below.
Search Query : title: “Welcome to XAMPP”

When you connect to one of the 72,000 web servers searched, you will be connected to the default XAMPP installation complete page as shown below. In the upper right corner, there is a menu to access PHPInfo and phpMyAdmin pages.

Clicking on the PHP Info in the top right corner will allow you to check the results of executing the phpinfo() function of the webserver.

Furthermore, clicking on the phpMyAdmin menu in the top right corner will take you to a login page where you can log in as an administrator.

How to Search for Exposed WAMP Web Server
The software package-installed web server vulnerability that exposes default pages is not limited to XAMPP. WAMP and LAMP have exposed web server default pages; you can detect them through the OSINT search engine in a similar way.
Search Query : title: “WAMP5 Homepage”
Search Query : title: “WAMPSERVER Homepage”


How to Search for Exposed LAMP Web Server
- https://www.criminalip.io/asset/search?query=title%3A+LAMP+stack+installation+scripts+by+Teddysun
Search Query : title: LAMP stack installation scripts by Teddysun

Searching for Web Server Configuration Details Using Directory Index
There are instances where configuration files are found and exploited using an exposed directory index. The image below shows a real-life example of a software package XAMPP-installed web server’s configuration file being exposed.
The configuration file named ‘httpd-xampp.conf’ contains various information related to running the XAMPP-installed httpd web server.

If you open the file ‘httpd-xampp.conf’, you can see the setting details of the XAMPP web server.

Precautions When Installing Open Source Software Package
As such, hackers will collect all sorts of OSINT information and search for web server vulnerabilities. Therefore, when using open-source web server software, it is important to check whether the default page containing web server information and the directory index page containing configuration files are not exposed.
If the URL of the main page or directory index page is accessible to everyone on the internet, you must either change the admin settings of the exposed configuration file or change the web server preference settings.
Please refer to our article about security vulnerabilities that alter exposed NGINX configuration files and how you can detect them.
Source : Criminal IP (https://www.criminalip.io)
Related Article :
[…] refer to our article that analyzes web server vulnerabilities caused by Apache web server-installed software for more […]