Scribd
Upload
43 views6 pages

XAMPP FTP Default Credentials Risks

Uploaded by

aldoelam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
43 views6 pages

XAMPP FTP Default Credentials Risks

Uploaded by

aldoelam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

1.1.

1 XAMPP Default FTP Credential

1.1.1.1 Description

Use of weak passwords is the most commonly targeted security weakness and one
of the leading methods used by malicious hackers or malicious users to gain
unauthorised access to various systems e.g. operating systems, network elements,
applications etc.

XAMPP is a free and open source cross-platform web server solution stack package
developed by Apache Friends, consisting mainly of the Apache HTTP Server,
MariaDB database, and interpreters for scripts written in the PHP and Perl
programming languages.

During internal black-box penetration test at Client_Name office, pen-testers found


the following XAMPP default FTP credentials:

Host IP / Hostname Port Username Password

10.y.z.40 (sl.sby.client.co.id) 21 Nobody lampp

10.y.z.170 21 Nobody lampp

10.y.z.51 21 Nobody xampp

Pen-testers were able to gain access to one of the FTP server by weak password.
The following screenshot shows pen-tester accessed content of an FTP server at
10.x.y.40:
1.1.1.2 Threats and risks

Risk: HIGH (Impact: Major, Likelihood: Possible)

Malicious hackers consider password brute forcing attacks as the most effective
hacking technique and use of weak passwords is a leading cause of security
intrusions.

As example, pen-tester was able to read information about LDAP from host
10.y.z.40 benefitting from weak / default password:
Using the above credential, pen-tester was able to view LDAP mentioned in the php
configuration file:

The server also hosted several applications for X regions, one of them is Application
Y. The configuration file for this web app could be viewed using default FTP
credential:
1.1.1.3 Recommendations

1.1.1.3.1 CORRECTIVE ACTION (QUICK FIX)

The following corrective action is recommended:

a) Change weak or default FTP password

Weak or default FTP passwords must be changed on reported web server to


comply with Client_Name Information Security Policy, i.e. have minimum 8
characters in length and must be difficult to guess. It is especially important to
ensure that administrative accounts on web server are protected with strong
passwords. All passwords must also be changed regularly, e.g. every 30 days.

1.1.1.3.2 PREVENTIVE ACTION (FUNDAMENTAL FIX)

The following preventive actions are recommended:

a) Inform administrators about risk of using weak or common passwords:

Use of weak passwords shows lack of security awareness among Tomcat


administrators and lack of knowledge of company’s information security policy or
unwillingness to follow the information security policy. Therefore, Client_Name
shall conduct security awareness programs for network administrators that
include security requirements, legal responsibilities and business controls, as
well as training in the correct use of information processing facilities e.g. log-on
procedure and information on the disciplinary process.

b) Perform regular password checks:


It is recommended to perform regular password checks on server and
workstations. The regular password checks should be performed by internal audit
or information security team.

1.1.1.4 Effort to remediate

Corrective action effort rating: MEDIUM

Medium effort is required to change passwords on reported network elements.

Preventive action effort rating: MEDIUM

Medium effort will be required to perform additional password checks on all network
elements to ensure use of proper passwords. Such checks will also need to be
performed on regular basis e.g. using vulnerability management solutions.

1.1.1.5 Target group

The following teams/personnel will likely be involved in remediation efforts and


should be informed of this finding:

 Information security team,


 Server administrators.

1.1.1.6 Reference to standards

Standard and policies related to this finding:

 ISO/IEC 27001:2013:
o A.7.2.2 Information security awareness, education and training: All
employees of the organization and, where relevant, contractors shall
receive appropriate awareness education and training and regular
updates in organizational policies and procedures, as relevant for
their job function.
o A.9.2.4 Management of secret authentication information of users:
The allocation of secret authentication information shall be controlled
through a formal management process.
o A.9.4.3 Password management system: Password management
systems shall be interactive and shall ensure quality passwords.

1.1.1.7 Current status


This finding was reported on 25.10.2016 and is yet to be re-tested.

You might also like