Linode.com Forum

maven · Senior Newbie Joined: 01 Jun 2004 Posts: 18

hi,

just wanted to know if anyone tried using xampp?
http://www.apachefriends.org/en/xampp-linux.html

as I needed a quick way to upgrade the Mandrake 9.1's default lamp stack, I chanced upon xampp and tried it out.

so far it rocks out of the box with no compilation for SuSE, RedHat, Mandrake and Debian. php 5.04 (plus eAccelerator -- yummy), apache 2.0.53 (loads of statically compiled in modules), MySQL 4.1.11. when caker comes out with sarge, hope to try it on that as well.

Question

anyone with feedback and care to share on security and best config practice for xampp? I will post stability notes as well...

ttyl
maven

Sipherx · Posted: Mon Jun 06, 2005 8:05 am Post subject:

I went to that link just to check out what xampp was, by the looks of it I wouldnt dare put that on my server, it seems to be very unsecure, and I will show you why.

Here a list of missing security in XAMPP:

The MySQL administrator (root) has no password.
The MySQL daemon is accessible via network.
ProFTPD uses the password "lampp" for user "nobody".
PhpMyAdmin is accessible via network.
Examples are accessible via network.
MySQL and Apache running under the same user (nobody).

Does that sound like something you want anyone to be able to take control over? Especially if your like me and you have a postfix-mysql email server. I would wait until Xampp fixed these issues, also all you people using WebMin there are tons of security issues there as well.

One more thing I just seen Xampp says run the following command:

To fix most of the security weaknesses simply call the following command:

/opt/lampp/lampp security

It starts a small security check and makes your XAMPP installation more secure.

What does "It makes it more secure" mean? lol, I mean give us some specifics, does it password protect stuff or what?
_________________
James Lenhart.

maven · Senior Newbie Joined: 01 Jun 2004 Posts: 18

thx for the comments! but u overreact. no worries. all installations require hardening anyway. have u tested it yet? which was why i asked for testing feedback in the first place. it's kinda new and for development but maybe the devs at xammp could use some of your comments to imprv their sec. join the forum http://www.apachefriends.org/f/?language=english maybe we'll all learn something

maven · Senior Newbie Joined: 01 Jun 2004 Posts: 18

o forgot to mention, the security script adds password-protects. it's open only initially for quick hacks at your own workstations and then u run the script for server deployment. still trying to find out more...

Sipherx · Posted: Wed Jun 08, 2005 9:59 am Post subject:

Alright, kool I might test it out. Dont think I was flaming you, I wasnt at all.
_________________
James Lenhart.

mylesb · Posted: Wed Jul 27, 2005 8:21 am Post subject:

OverlordQ · Senior Member Joined: 04 Jun 2004 Posts: 256

personaly wouldn't use it.

I use Debian, and installing that would probably throw you into dependency hell

mylesb · Posted: Wed Aug 10, 2005 8:05 am Post subject: