Why MAMP is not secure

Developers probably have heard about MAMP, it’s an all in one solution to run Apache, NGINX, PHP and MySQL on a Mac OS or Windows environment.

What is MAMP

MAMP installs a local server environment in a matter of seconds on your Mac OS X computer, be it MacBook or iMac. Like similar packages from the Windows- and Linux-world, MAMP comes free of charge, and is easily installed. MAMP will not compromise any existing Apache installation already running on your system. You can install Apache, PHP and MySQL without starting a script or having to change any configuration files! Furthermore, if MAMP is no longer needed, just delete the MAMP folder and everything returns to its original state (i.e. MAMP does not modify any of the “normal” system).

A few weeks ago I found a security flaw which can end up pretty nasty.

The problem

The webserver is running as your user account. Yes, the problem is that simple. That means that if you are hosting a website on your mac, you are possibly exposing your full computer with all your files to the internet when your site is breached.
Screen Shot 2015-12-13 at 20.52.51
Running your server as the same user as your computer account means that if your website is breached, your computer is free to browse. For example the desktop:
Screen Shot 2015-12-13 at 20.55.55

Real life User Scenario

You are using a mac to host your companies backups (TimeMachine), and shared directories. You also want an easy solution to host a WordPress website for yourself. Great idea, you install MAMP, install WordPress, configure a DNS service and you’re good to go. Months goes by, and WordPress exploits get found. You have a busy life and unfortunately you forget to update your WordPress installation for a few months.
A hacker runs wpscan, a commonly used tool by attackers to find exploits in your wordpress website.
It’s a piece of cake to look up an exploit and execute it to own the website.
Worst of all, your entire computer can be accessed because of MAMP!

How to fix

The developers can easily fix this by chrooting, jailing or change the user of the webserver.

What is chroot (change root)?

It’s about creating a virtualized environment in Linux operating system to separate it from the main operating system and directory structure. When you change root to another directory you can not access files and commands outside that directory. As you see, chroot enhances the security for the system and creates a virtual environment inside of which the application operates. If a vulnerability exist in the application or code such that an attacker can gain file system access, who would only be able to access files inside virtualized environment and the rest of the operating system and directory structure would remain inaccessable.

If one of the developers are reading: I contacted you multiple times, but I haven’t heard of you for weeks.