Summary
The host is installed with XAMPP and is prone to multiple cross-site request forgery vulnerability.
Impact
Successful exploitation will let the attacker execute crafted malicious queries in the vulnerable parameters or can change admin authentication data via crafted CSRF queries.
Impact Level: Application/Network
Solution
Upgrade to XAMPP version 1.7.3 or later,
For updates refer to http://www.apachefriends.org/en/xampp.htm
Insight
Multiple flaws are due to,
- Lack of input validation checking for the user-supplied data provided to 'security/xamppsecurity.php' which lets change admin password through CSRF attack.
- Input passed to some certain parameters like 'dbserver', 'host', 'password', 'database' and 'table' in not properly sanitised before being returned to a user.
Affected
XAMPP version 1.6.8 or prior on all platforms.
References
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2008-6498, CVE-2008-6499 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Subversion Module Metadata Accessible
- Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
- Apache mod_proxy_ajp Information Disclosure Vulnerability
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability