SkillAgentSearch skills...

Xampp

XAMPP is not secure

GenerateConvertImprove

Install / Use

/learn @Neustradamus/Xampp
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Published date: 2025-01-10 | Updated date: 2025-01-11 | Neustradamus
<p align="center"> <h1 align="center"> Should we use? <br /> XAMPP </h1> <h3 align="center"> Apache + MariaDB + PHP + Perl <br /> <br /> Linux / Apple MacOS / Microsoft Windows <br /> <br /> Development use? <br /> Production use? </h3> <h3 align="center"> <a href="https://www.apachefriends.org/">Apache Friends</a> </h3> </p> <p align="center"> <a href="https://www.apachefriends.org/"> <img src="https://upload.wikimedia.org/wikipedia/en/7/78/XAMPP_logo.svg" alt="XAMPP Logo" width="100"> </a> <br /><br /> </p> <p align="center"> <a href="https://www.apachefriends.org/"> <img src="https://upload.wikimedia.org/wikipedia/commons/d/de/XAMPP_Windows_10.PNG" alt="XAMPP Windows Interface" width="400"> </a> <br /><br /> </p>

XAMPP, what is it?

<b><a href="https://www.apachefriends.org/">XAMPP</a></b> is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. <br /> Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible.

The Apache Friends website indicates that XAMPP stands for "XAMPP Apache + MariaDB + PHP + Perl", making it a recursive acronym. XAMPP formerly used MySQL, but this was replaced with MariaDB on 19 October 2015 and beginning with XAMPP versions 5.5.30 and 5.6.14, altering the meaning of the acronym. It originally stood for Cross-Platform + Apache + MySQL + PHP + Perl.

Source: Wikipedia

Important informations, a little history...

<b>XAMPP</b> and <b>Apache Friends</b> have been created by Kai "Oswald" Seidler and Kay Vogelgesang in 2002.<br /> In 2013, <b>Apache Friends</b> has been acquired by <b>Bitrock</b>, creator of Bitnami.<br /> In 2019, <b>Bitrock</b> has been acquired by <b>VMware</b>.<br /> In 2022, <b>Bitrock</b> has been acquired by <b>Backstaff Software</b> without Bitnami.<br /> In 2023, <b>VMware</b> has been acquired by <b>Broadcom</b>.<br />

Updates?

Badly, since several years ago, there were little updates of XAMPP, it was already not good.<br /> And nothing since 2023 after the sale of VMware.

Development use or Production use or boths?

Since 2002, <b>XAMPP</b> is used in development as well as in production on internal, external, and cloud machines. Attention: If it is not very often updated, there is no security.

Download statistics?

On Sourceforge:

  • Windows: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/stats/timeline?dates=2002-09-01+to+2025-01-01&period=monthly
  • MacOS: https://sourceforge.net/projects/xampp/files/XAMPP%20Mac%20OS%20X/stats/timeline?dates=2002-09-01+to+2025-01-01&period=monthly
  • Linux: https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/stats/timeline?dates=2002-09-01+to+2025-01-01&period=monthly

It is only Sourceforge, there are not external download statistics.

Latest Apache Friends Announcement (2023-11-19)

  • https://www.apachefriends.org/blog/new_xampp_20231119.html

Vulnerabilities

Some CVEs have been solved in latest used software versions<br />XAMPP has not up-to-date latest software versions

XAMPP
  • https://www.cvedetails.com/vulnerability-list/vendor_id-9206/Apachefriends.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-5160/Apache-Friends.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-2780/Xampp.html
Apache HTTPd
  • https://httpd.apache.org/security/vulnerabilities_24.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/apache-http-server.html
MariaDB (10.4.x: EOL)
  • https://mariadb.com/kb/en/security/
  • https://www.cvedetails.com/vulnerability-list/vendor_id-12010/product_id-22503/Mariadb-Mariadb.html
PHP (8.0.x and 8.1.x: EOL)
  • https://www.php.net/ChangeLog-8.php
  • https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html
Apache mod_perl, Perl and StrawberryPerl
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-10711/Apache-Mod-Perl.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1885/product_id-13879/Perl-Perl.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-28156/product_id-119508/Strawberryperl-Strawberryperl.html
Apache Tomcat (8.5.x: EOL)
  • https://tomcat.apache.org/security-8.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/Apache-Tomcat.html
phpMyAdmin
  • https://www.phpmyadmin.net/security/
  • https://www.cvedetails.com/vulnerability-list/vendor_id-784/product_id-1341/Phpmyadmin-Phpmyadmin.html
FileZilla Server
  • https://www.cvedetails.com/vulnerability-list/vendor_id-20971/product_id-61904/Filezilla-project-Filezilla-Server.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-2889/product_id-6065/Filezilla-Filezilla-Server-Terminal.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-2889/product_id-5062/Filezilla-Filezilla-Server.html
Mercury Mail Transport System
  • https://www.cvedetails.com/vulnerability-list/vendor_id-5460/product_id-9253/Pegasus-Mercury-Mail-Transport-System.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-239/product_id-6531/David-Harris-Mercury-Mail-Transport-System.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-130/product_id-10545/Pmail-Mercury-Mail-Transport-System.html
OpenSSL (1.1.1: EOL / 3.1.x EOL Q1 2025)
  • https://openssl-library.org/news/vulnerabilities/
  • https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/Openssl-Openssl.html
Curl
  • https://curl.se/docs/security.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-2852/product_id-4982/Curl-Curl.html
Apache Portable Runtime - APR
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-18195/Apache-APR.html
Apache Portable Runtime Utility Library - APR-utils
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-17508/Apache-Apr-util.html
FPDF
  • Not listed (no vulnerability?)
FreeTDS
  • https://www.cvedetails.com/vulnerability-list/vendor_id-22202/Freetds.html
FreeType
  • https://www.cvedetails.com/vulnerability-list/vendor_id-4535/Freetype.html
LibGD
  • https://www.cvedetails.com/vulnerability-list/vendor_id-6668/Libgd.html
GNU dbm
  • Not listed (no vulnerability?)
gettext
  • https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4701/GNU-Gettext.html
ICU4C
  • https://www.cvedetails.com/vulnerability-list/vendor_id-17477/Icu-project.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-7624/Icu-Project.html
UW IMAP
  • Not listed (no vulnerability?)
Apache HTTP Request Library - apreq
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-50894/Apache-Libapreq2.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-4076/Libapreq2.html
Expat - libexpat
  • https://github.com/libexpat/libexpat/blob/master/expat/Changes
  • https://www.cvedetails.com/vulnerability-list/vendor_id-16735/Libexpat-Project.html
libpng
  • https://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-25/product_id-3774/Redhat-Libpng.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1189/product_id-2056/Greg-Roelofs-Libpng.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-6655/Png-Reference-Library.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1189/product_id-2094/Greg-Roelofs-Libpng3.html
libxml
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/Xmlsoft-Libxml2.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3534/Xmlsoft-Libxml.html
libxslt
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-14676/Xmlsoft-Libxslt.html
mcrypt
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1643/Mcrypt.html
mhash
  • Not listed (no vulnerability?)
Ming - libming
  • https://www.cvedetails.com/vulnerability-list/vendor_id-16097/Libming.html
ncurses
  • https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-38464/GNU-Ncurses.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-17277/Ncurses-Project.html
OpenLDAP (client)
  • https://www.cvedetails.com/vulnerability-list/vendor_id-439/Openldap.html
R&OS Pdf Class
  • Not listed (no vulnerability?)
ProFTPD
  • https://www.cvedetails.com/vulnerability-list/vendor_id-9520/Proftpd.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-204/Proftpd-Project.html
Sablotron
  • Not listed (no vulnerability?)
zlib
  • https://www.cvedetails.com/vulnerability-list/vendor_id-13265/product_id-111843/Zlib-Zlib.html

References

Softwares

  • XAMPP on Wikipedia | Official website: https://www.apachefriends.org/ | Official Sourceforge Project: https://sourceforge.net/projects/xampp/
  • Apache HTTP Server on Wikipedia | Official website: https://httpd.apache.org/
  • MariaDB on Wikipedia | Official website: https://mariadb.org/
  • PHP on Wikipedia | Official website: https://www.php.net/
  • mod_perl on Wikipedia | Official website: https://perl.apache.org/
  • Perl on Wikipedia | Official website: https://www.perl.org/
  • StrawberryPerl on [Wikipedia](https://en.wikipedia.org/wiki/Strawbe

Neustradamus

View profile

View on GitHub
GitHub Stars21
CategoryDevelopment
Updated1mo ago
Forks3
Neustradamus/xampp

Security Score

70/100

Audited on Feb 14, 2026

No findings