Blog
Browsing all articles in Technology
5
Posted June 9, 2009 in Blog, Technology by Sanny

Website Security : Directory Listing Issue

Directory listing is a great security risk for websites. Anyone can see and download contents from the directory. It may reveal your website’s login and database information. It will definitely make the server side scripts public which puts website’s security at a stake. It may also reveal private contents like images or multimedia files to public.

Now, there are a number of ways you can prevent this from happening. Let me describe one by one -

  • Change Apache configuration file to disallow indexing. To do this, open httpd.conf file. Probable location of this file is /etc/apache2/. Now change the line

    Options Indexes FollowSymLinks Includes ExecCGI

    to

    Options -Indexes FollowSymLinks Includes ExecCGI

    Restart the apache server.

  • Now you may not have access to the apache configuration file if you’re using a shared hosting. In this case, you can disallow directory listing with the help of .htaccess file. .htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.Create a file named .htaccess in /var/www/. Note that the file has no name and only an extension htaccess. It has to be named exactly like this. Otherwise, it wont work. Add this line in the file

    Options -Indexes

    and save it. Now try seeing the directory listing again on the browser. You should get a 403 Error (Access forbidden). If you still see the listing, then it means that your .htaccess file is ignored by apache server. This happens when .htaccess file is disallowed from httpd.conf file. To enable .htaccess files, replace the following in httpd.conf file

    AllowOverride None

    with

    AllowOverride All

    or

    AllowOverride Options
  • Finally, if you dont have the authority to follow the above mentioned remedies, there’s still a solution for you. Simply, put an empty index.html file in every directory. This way, no one will ever be able to see the content of the directory. Rather he or she will see a blank page.