Comments on: XAMPP Security: Cleaning the cgi-bin folder

By: Joseph

Joseph — Fri, 30 Jul 2010 19:08:58 +0000

Thanks for the info. Without this article, I was afraid to even run the server but now I’m more confident to run it. And thanks Lisa it worked for me and I replaced line 11 with my own message.

By: TAN THIAM HUAT

TAN THIAM HUAT — Mon, 19 Apr 2010 06:31:42 +0000

Access phpmyadmin via Internet (not intranet)
=============================================

I am able to access my webserver from another PC on the same network as the webserver (192.168.1.xxx), using http://192.168.1.xxx/phpmyadmin

However, I would also want to access that webserver (192.168.1.xxx) from another PC, outside the network as the webserver, via internet. Is that possible? Which portion of the config.inc.php file would I need to modify?

I understand that there would be some security issues. How would we take care of that?

By: Muon

Muon — Fri, 05 Mar 2010 15:52:46 +0000

Ooops. Thats \xampp\apache\conf\extra\httpd-default.conf to set “ServerTokens Prod” and “ServerSignature Off”. to remove the system/server signatures.
-Best

By: Muon

Muon — Fri, 05 Mar 2010 15:48:50 +0000

Using 1.73. This is good. Very good. I’m doing it… but CAREFULLY.

To sven: I’m not a pro but am SURE that removing printenv.pl from cgi-bin/ does NOT prevent the server from starting. However, even tiny mistakes in the config file can and WILL prevent the server from starting. When you run into trouble check your config for the error (you just made) AND xampp\apache\logs\ for logfiles to help sort out where the error is. Remember, modifications to config files to not take effect until the server is restarted (oooOOOOoooo)!

To Lisa: thanks for the tip and reminder. (as I understand it) The “official” way to remove that those disclosure lines etc which experts consider a security risk is to modify the \xampp\apache\conf\extra\ and set “ServerTokens Prod” and “ServerSignature Off”. That seems to do it.

Thanks all for the excellent pages and comments.

By: sven

sven — Sun, 13 Dec 2009 19:00:16 +0000

I am using xampp version 1.7.2/php 5.3.0. When I remove the “printenv.pl” file, the Apache module starts but I can’t log into the Admin page. The Admin button is inactive, and I don’t see the normal green highlight for when Apache is running normally. When I try to run the mySQL Admin or load my web site, I get a page error.

I went back and undo all the changes the config files to deny acces the folders that Rob suggested, but only reinstating the “printenv.pl” file made it work. What gives?

By: Lisa Ridley

Lisa Ridley — Fri, 28 Dec 2007 06:47:50 +0000

Sorry, but the code did not show up in my post.

You need to remove the line !–#echo var=”SERVER_SOFTWARE” –, including the closing brackets, to remove the server software information from the bottom of the error pages.

By: Lisa Ridley

Lisa Ridley — Fri, 28 Dec 2007 06:45:25 +0000

Hi! Your guide here is great!

Just one thing — not sure when this changed, but I just installed XAMPP 1.6.5, and removing the .pl script from the cgi folder as you noted above does not remove the environment variables from the error pages. To do this, you have to look in \xampp\apache\error\include\bottom.html. Remove the following instructions from the 11th line:

which can be found before the closing tag.

I’m not sure which version of XAMPP changed the delivery of the error pages, but this will remove the software information from the bottom of the error pages, leaving only the website name and date.

Awesome guide! Really helpful!