Open-source web servers, especially Apache HTTP server, has seen an tremendous increase in the number of vulnerabilities which hackers have been consistently exploiting since 2017. Hackers exploit various vulnerabilities to attack web servers, with one of the targets being web servers installed as software packages. This article shows how to detect web server vulnerabilities caused by software package bundles, exposed default pages and configuration files using Criminal IP Asset Search. 

What are Web Server Software Packages? (XAMPP, Wamp, LAMP)

Rather than installing Apache HTTP web server standalone, there are many cases where XAMPPWampLAMP are installed in a package bundle. 

APM refers to the web server Apache, server-side language PHP, database management system (DBMS) MySQL and Maria DB. AMP is another term used to describe the same 3 combination of softwares. 

When building a web server, the aforementioned softwares are usually installed therefore web server installation software package is used for time efficiency. 

웹 서버 설치 소프트웨어 패키지 중 하나인 XAMPP
XAMPP, One of the Softwares in the Web Server Installation Package

XAMMP stands for X(Cross-platform), A(Apache), M(MariaDB), P(PHP), P(Perl) and it includes not only APM but also other programs needed for the web server. 

Many developers use XAMPP because of its constant updates and inclusion of many add-ons like WordPress and MediaWiki. 

Exposure of Web Server Software Package Installation Complete Page 

When targeting a web server installed as a software package, hackers search for information about the web server. From this, the page they choose to exploit is the installation complete default page. If this default page is exposed to the internet, that in itself can become a web server vulnerability. 

How to Search for Exposed XAMPP Web Server 

We can search for the XAMPP software package-installed Apache HTTP web server default page by searching the HTML title as shown below.

Search Query : title: “Welcome to XAMPP”

Search Results for XAMPP Software Package Default Page on Criminal IP Asset Search
Search Results for XAMPP Software Package Default Page on Criminal IP Asset Search

When accessing one of the 72,000 web servers that resulted from the search, it takes you a XAMPP-installed default page. On the top right corner, there is a menu where you can access PHPInfo and phpMyAdmin pages. 

 An Exposed XAMPP Software Package Installation Completed Default Page
 An Exposed XAMPP Software Package Installation Completed Default Page

Clicking on the PHP Info on the top right corner will allow you to check the execution results of phpinfo() function of the webserver.

PHP Info Page Accessed Through Exposed XAMPP Default Page
PHP Info Page Accessed Through Exposed XAMPP Default Page

Furthermore, clicking on phpMyAdmin menu on the top right corner will take you to a login-page where you can log-in as an administrator.

phpMyAdmin Page Accessed Through Exposed XAMPP Default Page
phpMyAdmin Page Accessed Through Exposed XAMPP Default Page

How to Search for Exposed WAMP Web Server 

The software package-installed web server vulnerability that exposes default pages is not limited to XAMPP. WAMP and LAMP can also detect exposed web server default pages through OSINT search engine in a similar way. 

Search Query : title: “WAMP5 Homepage”
Search Query : 
title: “WAMPSERVER Homepage”

Search Result for WAMP Server Default Page Using Criminal IP Asset Search
Search Result for WAMP Server Default Page Using Criminal IP Asset Search
Exposed WAMP Server Default Page
Exposed WAMP Server Default Page

How to Search for Exposed LAMP Web Server

Exposed LAMP Server Default Page
Exposed LAMP Server Default Page

Searching for Web Server Configuration Details Using Directory Index  

There are instances where configuration files are found and exploited using an exposed directory index. The image below shows a real-life example of a software package XAMPP-installed web server’s configuration file being exposed.

The configuration file named ‘httpd-xampp.conf’ contains various information related to running the XAMPP-installed httpd web server. 

Directory Index of Exposed XAMPP Software Package-installed Web Server
Directory Index of Exposed XAMPP Software Package-installed Web Server

If you open the file ‘httpd-xampp.conf’, you can see the setting details of the XAMPP web server.

 File 'httpd-xampp.conf' Discovered on Exposed Directory Index. Shows Setting Details of XAMPP Web Server
 File ‘httpd-xampp.conf’ Discovered on Exposed Directory Index. Shows Setting Details of XAMPP Web Server

Precautions When Installing Open-Source Software Package Bundle  

As such, hackers will collect all sorts of OSINT information and search for web server vulnerabilities. Therefore, when using open-source web server software, it is important to check that the directory index, where the default page and configuration file that contains the web server information, are not exposed. 

If the URL of the main page or directory index page is accessible to everyone on the internet, you must either change the admin settings of the exposed configuration file or change the web server preference settings. 

Please feel free to refer to our article that talks about security vulnerabilities that alters exposed NGINX configuration files and how you can detect it


Source : Criminal IP(https://www.criminalip.io)

Related Article :