18

I want to test some PHP code and I figure the best way is to install XAMPP - but I'm nervous about installing server software on my home computer.

Is it generally safe to install XAMPP (given that I haven't done it before and don't have a lot of experience with server security)? What do I need to be aware of? Alternatively, is there a safer way to test PHP code?

Frost
  • 181
  • 1
  • 1
  • 3

6 Answers6

22

Apache and MySQL can be configured so that they only listen to requests from your own computer. For most test systems this is fine and it greatly reduces the risk because the services are not reachable from the Internet.

Before you start XAMPP for the first time find and edit these files:

For Apache edit the files xampp\apache\conf\httpd.conf and xampp\apache\conf\extra\httpd-ssl.conf. Look for lines starting with "Listen" such as

Listen 80

and replace them with

Listen 127.0.0.1:80

For MySQL open the file xampp\mysql\bin\my.cnf find the section "[mysqld]" and add this line

bind-address=localhost

After starting the services, verify the result by going to a command window and start and execute:

netstat -a -n

For the entries marked as LISTEN in the last column, look at the Listen column. It should always start with 127.0.0.1 or ::1 but not with 0.0.0.0.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • Thanks, this is very helpful. Would you say that a default installation is risky then? – Frost Sep 04 '11 at 12:29
  • 1
    Why it should be risky? Is your home computer directly connected to internet (no router and firewall)? If yes -- you have MUCH bigger problems here. By default firewall/router blocks all incoming connections (externally initiated) unless you manually allow some applications to accept them. This means that no-one will be able to connect to your Apache/MySQL unless you allow it to do so in your Router and then Windows Firewall. @Hendrik just explained you on how you can further restrict such access. – LazyOne Sep 04 '11 at 12:38
  • 1
    @Frost, the [front page](http://www.apachefriends.org/en/xampp.html#300) explicitly says "The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment.". – Hendrik Brummermann Sep 04 '11 at 13:49
  • Actually i reported a CSRF remote code execution vulnerability like 3 years ago that is exploitable despite this limitation. This vulnerability was never patched. – rook Sep 04 '11 at 16:36
  • @Hendrik Brummermann♦: I wouldn't call a home computer a "production environment". – Piskvor left the building Nov 04 '11 at 10:34
  • 2
    @Piskvor, well I do think that a home computer with internet access and personal documents does deserve that term in this context. It is not a computer in a isolated lab without any kind of connection to the outside world and no important information what so ever. – Hendrik Brummermann Nov 04 '11 at 12:56
  • @Hendrik Brummermann♦: Fair point. – Piskvor left the building Nov 07 '11 at 07:46
  • I was most probably hacked by an insecure default configuration of XAMPP. It does not have this limitations by default. – Blackbam Nov 26 '15 at 21:04
  • 1
    @hendrik-brummermann Thanks for this. I discovered that xampp was listening on port 443, but that was not explicitly configured in `httpd.conf`. In order to block, I had to comment out the entire `ssl_module` section. – Jonathan Cross Nov 15 '16 at 16:34
  • Somewhat related: at some point in time. BlackBerry decided it was a good idea to install nginx on all computers using their BlackBerry Link program and allow read/write access to the entire `%appdata% directory. [Here is a writeup of why that resulted in a security vulnerability.](http://blog.cmpxchg8b.com/2013/11/qnx.html) – user2428118 May 06 '17 at 19:23
5

Disclaimer: I'm a XAMPP developer.

It is safe to install XAMPP in your local machine. You are usually connected to internet through a router so it is not possible to access your current installation.

Also XAMPP ships a "How can I make my XAMPP installation more secure?" section where you can follow that guide to change the MySQL root password, disable the services you do not use, etc.

Recently XAMPP disabled the PHP-based XAMPP Dashboard and we included static html guides. Any issue related to CSFR or related to this panel now it does not exist.

XAMPP also takes into account the latest security issues. You can check the blog to see we released new versions as soon as possible.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
user93088
  • 51
  • 1
  • 1
5

XAMPP has a very poor secuirty track record. There are remote code execution vulnerabilities exploitable via CSRF that are known and unpatched. (Its acutally in their shitty example PHP/MySQL applications that come bundled.) Even if you are only bound to localhost, this can be exploited remotely. The counter argument is that the attacker would have to know that you are running XAMPP. Their install of PHPMyAdmin is always out of date, and there are nasty exploits that also affect this project.

My suggestion is to use Ubuntu on VM. Ubuntu's LAMP install is acutally easier than XAMPP and is acutally secure. Just run sudo tasksel or select the LAMP package when you are installing it.

rook
  • 46,916
  • 10
  • 92
  • 181
  • What kind of CSRF exploits? If you remove the default contents of the htdocs folder and secure the mysql server, shouldn't it be fine? – Luc Aug 29 '12 at 21:49
  • @Luc I haven't looked at in awhile. I know that phpmyadmin was really old and you could drop .php files using it. It also comes with some really vulnerable example php apps that should be removed. – rook Aug 30 '12 at 01:17
1

XAMPP should never be used in a production environment and tightly locked down and steps taken to secure it on a development machine, including any upgrades or security patches from the original software vendors (PHP, Apache, MySQL, etc. ).

If you do choose to install XAMPP be sure to make sure it only allows connections from the loopback address. You should verify this for Apache, MySQL and any other services you setup for XAMPP. As if you have something that can be accessed internally from the LAN and have someone else on your network knowingly or unknowingly they can use exploits to gain access to your machine and cause damage.

ITOps
  • 101
  • 2
  • _By default_ it is open for everything, yes, but so is all software meant for development. With a few changes, a live (production) XAMPP installation is actually secure. – Luc Aug 29 '12 at 21:51
0

There is a safer way to test your code. You can - and arguably ought to - install your server software, whatever that might be (from XAMPP / WAMP in Windows to Ubuntu Server), in a virtual machine. It's not as daunting as it might sound at first, though it may be overkill if all you're doing is developing your own code.

A VM effectively sequesters whatever happens to your server (the guest) from propagating to your home computer running the virtual machine (the host). Imagine you have improperly configured permissions and a script you're testing executes a hidden system('rm -Rf some_dir'). No problem! Revert your VM to the latest snapshot and away you go. You could even diff the snapshots to see what changed.

Additionally, the network adapter on my VM of choice NATs the VM, forcing you to manually configure port forwarding for the VM to access it, let alone detect that it exists.

Testing in a VM also mitigates the risk of data leakage through malware. Personally, I'm much less worried that an app I'm testing will maliciously delete something than I am that it will silently steal it and upload it somewhere. Your host machine will be invisible to apps running within your VM.

I'm personally partial to Oracle's VirtualBox; it's completely free, has enough features to keep me interested and is very simple to use. The VMs are also portable: you can copy the virtual machine file to a USB drive and take it to work.

If you're ever going to do risky software testing of any kind, I suggest you learn to use VMs and test in there: it's a very useful skill to have in your tool-belt.

msanford
  • 819
  • 1
  • 9
  • 26
0

So, what do you exactly mean by "safe"?

  1. Are you concerning of the data security or privacy? (i.e. others can hack into your pc via the server applications and view/control your local data)?
  2. Or are you worrying about your php code or the software that will make damage to your computer?

For 1), it is generally not possible to have access to your computer remotely if you have your OS well-configured. In most cases, your local network environment is protected by NAT, firewalls, and other techniques such as dynamic IP policies. Apache can also be configured to only accept local visits as @HendrikBrummermann points out.

For 2), just try to write robust code and that's all I can suggest. Apache and MySQL are very light-weight server applications. You are just doing local test, so there generally shouldn't be heavy data traffics or high computing overheads that could bring your system down.

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61