[vc_row][vc_column][vc_column_text]Misconfigured or default configuration on web servers may lead to a number of issues that might aid malicious hackers craft a hack attack. One common web server issue is directory listing. Many leave it enabled by mistake, thus creating an information disclosure issue (leakage of sensitive information) because they are allowing everyone to see all the files and directories on the website.[/vc_column_text][vc_column_text]
What is Directory Listing?
Directory listing is a feature that when enabled the web servers list the content of a directory when there is no index file (e.g. index.php or index.html) present. Therefore if a request is made to a directory on which directory listing is enabled, and there is no index file such as index.php or index.asp, even if there are files from a web application, the web server sends a directory listing as a response. When this happens there is an information leakage issue, and the attackers can use such information to craft other attacks, including direct impact vulnerabilities such as XSS.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image][vc_column_text]As you can see from the picture above, the directory listing feature generates an output similar to the ‘dir’ or ‘ls’ command that is run on an operating system. Directory listing issues are the type of issues that a SSL certificate won’t protect you from. However the good news is that these types of issues can be easily identified with an automated web vulnerability scanner.[/vc_column_text][vc_column_text]
What Information is Leaked & What are the Risks of Directory Listing?
Let’s assume that a backup copy of the file config.php, in which the credentials for a database connection are kept in, is in the secret
folder, which has directory listing enabled.
If the attacker finds the secret
folder by crawling or fuzzing, when he tries to access it directly, e.g. http://www.example.com/secret/
he can see and download the backup files, which contains the database connection details. Now the attacker has the connection details to the web application’s database, allowing him to possibly damage the database or the web application thanks to these credentials.[/vc_column_text][vc_column_text]
How to Disable Directory Listing?
As a security best practice it is recommended to disable directory listing. You can disable directory listing by creating an empty index file (index.php, index.html or any other extension your web server is configured to parse) in the relevant directory. Though in many cases this is not the best solution because such files are typically forgotten for example when migrating the web application from development to production environments, or when new directories are added.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Put this one line code in you .htaccess file located in root of your file Manager. It will cause 403 Forbidden error.[/vc_column_text][vc_gutenberg]