The bot identifies the server by requesting a non-existent page. The default XAMPP error page reveals Apache/2.4.41 (Win64) PHP/7.4.6 .
This is a writeup for CVE-2020-11107 I've found. An issue was discovered in XAMPP before 7.2. 29, 7.3. x before 7.3. 16 , and 7.4. xampp for windows 746 exploit
If phpMyAdmin is left open with no password: The bot identifies the server by requesting a
The CVE-2024-45195 vulnerability serves as a reminder of the importance of keeping your software up to date and the potential for subtle OS-specific behaviors to introduce significant security risks. By understanding the mechanics of this exploit and implementing the recommended mitigation strategies, you can significantly reduce your exposure and protect your Windows-based XAMPP installations. Stay vigilant and prioritize security in your development and deployment workflows. An issue was discovered in XAMPP before 7
On a secure XAMPP install, they would see a "403 Forbidden" error. On a vulnerable 7.4.6 Windows install, they were presented with the phpMyAdmin login screen – but here’s the catch:
Disclaimer: This article is for educational and defensive security purposes only. The exploit discussed has been patched. Do not use this information to attack systems you do not own.
The vulnerability stems from how XAMPP, when configured to use PHP-CGI, handles certain character sequences on Windows. Specifically, it involves the way the Windows API processes command-line arguments and how PHP-CGI interprets them.