Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Jenny Swift
21,999 PointsWhat is the concern regarding XAMPP security?
Hi, I have been making an application that works on my Mac using MAMP, and a friend of mine would like to try out the app. She uses a Windows computer, so I’ve been trying to get the application to work on Windows. It’s been so long since I’ve used a Windows computer so I feel pretty unfamiliar with it. I now have XAMPP setup and the application works, but I have noticed people seem to be concerned about security while using XAMPP. Examples are:
https://teamtreehouse.com/forum/xampp-security
https://teamtreehouse.com/forum/local-server-with-xampp-secure-wordpress-windows
http://security.stackexchange.com/questions/6798/how-safe-is-it-to-install-xampp-on-my-home-computer-to-test-php-code/6807#6807
I don’t understand what there is to be concerned about. I followed the tutorial here on setting up XAMPP and Randy didn’t mention all these security issues. If there was anything to be concerned about, I’d be surprised that he didn’t cover it.
Could anyone please answer the following:
What exactly is the problem that could happen? How could installing XAMPP create security vulnerabilities? In the first link, georgknabl says to make sure you 'change the default passwords’, and 'don't write PHP scripts that expose or manipulate your entire filesystem’.
I thought the whole idea of MAMP and XAMPP was that the server is only on your computer, so I don’t see how anyone could access anything from another computer, or what setting a password would do apart from making XAMPP unusable to other users of the same computer. And what does he mean by, 'don't write PHP scripts that expose or manipulate your entire filesystem’?
Also, on my localhost/security/index.php page, I have the following:
'These XAMPP pages are accessible by network for everyone. Every XAMPP demo page you are right now looking at is accessible for everyone over network. Everyone who knows your IP address can see these pages.’
The status is ‘unsecure.’
and
'A FTP server is not running or is blocked by a firewall!'
Are these messages anything to be concerned about?
1 Answer
Art deHoyos
14,531 PointsWhen you run xampp, your computer is acting as a web server, so if I am on the same network as you (e.g. the WiFi at a cafe) and know the name of your machine, or if I find out that your laptop is serving on port 80, I can browse to your xampp control page, log into your phpmyadmin because you never changed the root password and copy your database. If one of your sites has insecure scripts that take user input to fetch something from outside xampp's htdocs folder, I could possibly gain access to your computer's entire file system.
It's not likely to happen, but the possibility exists if you don't lock it down and aren't careful with your code. If you're on a network that you control or that only people you trust are on, you're pretty safe.
Jenny Swift
21,999 PointsJenny Swift
21,999 PointsThank you so much Art, great answer!
Art deHoyos
14,531 PointsArt deHoyos
14,531 PointsYou're welcome. Glad to help!