XAMPP Security: Cleaning the cgi-bin folder

July 10th, 2007

This article is part of a series of articles about making XAMPP more secure. See the overview page for all the security measures.

By default, XAMPP installs a script called “printenv.pl” into your c:\xampp\cgi-bin directory. This script will show the values of all your environment variables on a web page. This could provide extra information to a hacker trying to compromise your site. I suggest deleting this script if you kept your cgi-bin folder. The other scripts, cgi.cgi and perltest.cgi are pretty harmless, but if you don’t need them, you might as well delete them.

Next Step

Now we’re ready for the next step to add additional password protection.


  1. Lisa Ridleyon 28 Dec 2007 at 1:45 am

    Hi! Your guide here is great!

    Just one thing — not sure when this changed, but I just installed XAMPP 1.6.5, and removing the .pl script from the cgi folder as you noted above does not remove the environment variables from the error pages. To do this, you have to look in \xampp\apache\error\include\bottom.html. Remove the following instructions from the 11th line:

    which can be found before the closing tag.

    I’m not sure which version of XAMPP changed the delivery of the error pages, but this will remove the software information from the bottom of the error pages, leaving only the website name and date.

    Awesome guide! Really helpful!

  2. Lisa Ridleyon 28 Dec 2007 at 1:47 am

    Sorry, but the code did not show up in my post.

    You need to remove the line !–#echo var=”SERVER_SOFTWARE” –, including the closing brackets, to remove the server software information from the bottom of the error pages.

  3. svenon 13 Dec 2009 at 2:00 pm

    I am using xampp version 1.7.2/php 5.3.0. When I remove the “printenv.pl” file, the Apache module starts but I can’t log into the Admin page. The Admin button is inactive, and I don’t see the normal green highlight for when Apache is running normally. When I try to run the mySQL Admin or load my web site, I get a page error.

    I went back and undo all the changes the config files to deny acces the folders that Rob suggested, but only reinstating the “printenv.pl” file made it work. What gives?

  4. Muonon 05 Mar 2010 at 10:48 am

    Using 1.73. This is good. Very good. I’m doing it… but CAREFULLY.

    To sven: I’m not a pro but am SURE that removing printenv.pl from cgi-bin/ does NOT prevent the server from starting. However, even tiny mistakes in the config file can and WILL prevent the server from starting. When you run into trouble check your config for the error (you just made) AND xampp\apache\logs\ for logfiles to help sort out where the error is. Remember, modifications to config files to not take effect until the server is restarted (oooOOOOoooo)!

    To Lisa: thanks for the tip and reminder. (as I understand it) The “official” way to remove that those disclosure lines etc which experts consider a security risk is to modify the \xampp\apache\conf\extra\ and set “ServerTokens Prod” and “ServerSignature Off”. That seems to do it.

    Thanks all for the excellent pages and comments.

  5. Muonon 05 Mar 2010 at 10:52 am

    Ooops. Thats \xampp\apache\conf\extra\httpd-default.conf to set “ServerTokens Prod” and “ServerSignature Off”. to remove the system/server signatures.

  6. TAN THIAM HUATon 19 Apr 2010 at 1:31 am

    Access phpmyadmin via Internet (not intranet)

    I am able to access my webserver from another PC on the same network as the webserver (192.168.1.xxx), using http://192.168.1.xxx/phpmyadmin

    However, I would also want to access that webserver (192.168.1.xxx) from another PC, outside the network as the webserver, via internet. Is that possible? Which portion of the config.inc.php file would I need to modify?

    I understand that there would be some security issues. How would we take care of that?

  7. Josephon 30 Jul 2010 at 2:08 pm

    Thanks for the info. Without this article, I was afraid to even run the server but now I’m more confident to run it. And thanks Lisa it worked for me and I replaced line 11 with my own message.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.