CVE-2008-6498
published 2009-03-20CVE-2008-6498: Cross-site request forgery (CSRF) vulnerability in security/xamppsecurity.php in XAMPP 1.6.8 allows remote attackers to hijack the authentication of users for…
PriorityP429medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
1.05%
59.9th percentile
Cross-site request forgery (CSRF) vulnerability in security/xamppsecurity.php in XAMPP 1.6.8 allows remote attackers to hijack the authentication of users for requests that change a certain .htaccess password via the xampppasswd parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apachefriends | xampp | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
XAMPP 1.7.2 - Change Administrative Password
exploitdb·2009-12-11
CVE-2008-6498 XAMPP 1.7.2 - Change Administrative Password
XAMPP 1.7.2 - Change Administrative Password
---
# Title: XAMPP 1.7.2 Change Administrative Password
# Date: 11/12/2009
# Author: bi0
# Software Link: http://www.apachefriends.org/en/xampp-windows.html
# Version: 1.7.2
# Tested on: Windows XP / Windows Vista
# CVE : ()
______ __ ______
/\ == \ /\ \ /\ __ \
\ \ __< \ \ \ \ \ \/\ \
\ \_____\ \ \_\ \ \_____\
\/_____/ \/_/ \/_____/
[#]----------------------------------------------------------------[#]
#
# [x] XAMPP 1.7.2 Change Administrative Password
# [x] Author : bi0
# [x] Contact : [email protected]
# [+] Download : http://www.apachefriends.org/en/xampp-windows.html
#
[#]----------------------------------------------------------------[#]
#
# [x] Exploit :
#
# At the older versions of xampp "xamppsecurity.php" was allowed
# only for l
Exploit-DB
XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)
exploitdb·2008-12-08
CVE-2008-6499 XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)
XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)
---
XAMPP change administrative password:
Written by Michael Brooks
special thanks to str0ke
Affects XAMPP 1.6.8.
homepage: http://www.apachefriends.org/
XAMPP has 17+ million downloads from sourceforge.net.
register_globals=On or Off
This attack is exploitable even when this page is reporting a fully
secure system: http://10.1.1.10/security/index.php
There are two vulnerabilities that are being used toagther.
1)Global variable manipulation to spoof ip address.
2)XSRF to change the .htaccess password for http://10.1.1.10/security/
and http://10.1.1.10/xampp/ .
The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and
this cannot normally be spoofed.
However extract($_POST); can be used to overwrite a
No writeups or analysis indexed.
2009-03-20
Published