preventing casual observation of dir content

Adrienne Boswell wrote:

Quote:

If directory browsing is enabled, and you want to change that, there are
a few ways. As Beauregard already posted, if you are on Apache, it's a
matter of .htaccess. Windows does not have such a file, and if you do
not have access to site configuration, you will have to ask your hosting
provider to do it for you.
Apache has it regardless the OS (Windows or *nix). I haven't used IIS

for some years, and it didn't support .htaccess at the time, but if I
remember correctly (a high risk proposition) there were ways to set up
similar options.

--
Bill

On Wed, 14 Oct 2009 08:55:14 -0400, William Gill
<nospam (AT) domain (DOT) invalid> wrote:

Quote:

Josiah Jenkins wrote:
On Mon, 12 Oct 2009 17:13:14 -0400, "Beauregard T. Shagnasty"
a.nony.mous (AT) example (DOT) invalid> wrote:

Josiah Jenkins wrote:

"Beauregard T. Shagnasty" wrote:
You don't say what your web server is... Apache? If so, create a file
in your root directory named: .htaccess and put this one line in it:

# Options -Indexes
I want to do the opposite.

I'm using WAMP to check pages before uploading. By default, in
localhost, index.php opens as a webpage in FF and I'd prefer to see a
file list of the pages in the directory so that I can select a page
to work on.

After some snooping around, I've created an .htaccess file with the
single line : Options +Indexes in the root folder but it doesn't
appear to have had any effect.
Remove or rename index.php to something other than a default page.
Maybe even something simple such as: index1.php
Then the +Indexes will take over.

That's done the trick (index_1.php)
I had discovered that moving the index file out of the folder also
worked but that's probably a better workaround.

Thanks for the help.

If you don't want to have to rename the index_1.php every time you have
to upload it to your production server leave it as index.php, and in
your development server .htaccess enter these two lines

DirectoryIndex xxx.xxx
Options +Indexes

or

#DirectoryIndex index.php
DirectoryIndex xxx.xxx
Options +Indexes

and move the comment (#) back and forth to toggle the effect.

Thanks for that. I've noted it but suspect that, with my limited
knowledge, I'm probably better just renaming the 'index' file rather
than creating an .htaccess file and switching between the commands
contained in that.

In my FTP program (Terappin) I can *see* that there are different
file names between my local machine and the server.

KISS ! It works for me . . .
--


http://www.ian-stewart.eu

Gazing into my crystal ball I observed William Gill
<nospam (AT) domain (DOT) invalid> writing in news:AdmBm.147$pl1.65 (AT) newsfe01 (DOT) iad:

Quote:

Adrienne Boswell wrote:
If directory browsing is enabled, and you want to change that, there
are a few ways. As Beauregard already posted, if you are on Apache,
it's a matter of .htaccess. Windows does not have such a file, and
if you do not have access to site configuration, you will have to ask
your hosting provider to do it for you.

Apache has it regardless the OS (Windows or *nix). I haven't used IIS
for some years, and it didn't support .htaccess at the time, but if I
remember correctly (a high risk proposition) there were ways to set up
similar options.

Windows still does not support .htaccess. I imagine it's because that's
too "simple", and too difficult for them to turn into a mess of tangled
code.

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Adrienne Boswell wrote:

Quote:

Gazing into my crystal ball I observed William Gill
nospam (AT) domain (DOT) invalid> writing in news:AdmBm.147$pl1.65 (AT) newsfe01 (DOT) iad:

Adrienne Boswell wrote:
If directory browsing is enabled, and you want to change that, there
are a few ways. As Beauregard already posted, if you are on Apache,
it's a matter of .htaccess. Windows does not have such a file, and
if you do not have access to site configuration, you will have to ask
your hosting provider to do it for you.

Apache has it regardless the OS (Windows or *nix). I haven't used IIS
for some years, and it didn't support .htaccess at the time, but if I
remember correctly (a high risk proposition) there were ways to set up
similar options.


Windows still does not support .htaccess. I imagine it's because that's
too "simple", and too difficult for them to turn into a mess of tangled
code.

You are missing my point. It's not Windows issue, it's an HTTP server

issue. Apache supports .htaccess in all OS's including Windows, IIS
(which comes with Windows) does not. There are other HTTP servers for
Windows, that may or may not read and implement .htaccess directives.
However IIS uses it's own configuration mechanisms to control server
behavior, .htaccess is (primarily) an Apache configuration mechanism.
Implying IIS not implementing an Apache mechanism is somehow a fault
with IIS would be like saying Apache is deficient because it can't be
configured using IIS Manager. Both servers seem to be able to do the
same things, I just prefer Apache because I don't have to have one set
of files for my development server, and another for my production server.

--
Bill

Josiah Jenkins wrote:

Quote:

On Wed, 14 Oct 2009 08:55:14 -0400, William Gill
nospam (AT) domain (DOT) invalid> wrote:
If you don't want to have to rename the index_1.php every time you have
to upload it to your production server leave it as index.php, and in
your development server .htaccess enter these two lines

DirectoryIndex xxx.xxx
Options +Indexes

or

#DirectoryIndex index.php
DirectoryIndex xxx.xxx
Options +Indexes

and move the comment (#) back and forth to toggle the effect.

Thanks for that. I've noted it but suspect that, with my limited
knowledge, I'm probably better just renaming the 'index' file rather
than creating an .htaccess file and switching between the commands
contained in that.

In my FTP program (Terappin) I can *see* that there are different
file names between my local machine and the server.

KISS ! It works for me . . .
Me too, so I would leave index.php as index.php and use the two line

option. Quick, simple, and no having to rename anything. :-)

--
Bill

Gazing into my crystal ball I observed William Gill
<nospam (AT) domain (DOT) invalid> writing in
news:BGFBm.143524$Y83.15169 (AT) newsfe21 (DOT) iad:

Quote:

Adrienne Boswell wrote:
Gazing into my crystal ball I observed William Gill
nospam (AT) domain (DOT) invalid> writing in
news:AdmBm.147$pl1.65 (AT) newsfe01 (DOT) iad:

Adrienne Boswell wrote:
If directory browsing is enabled, and you want to change that,
there are a few ways. As Beauregard already posted, if you are on
Apache, it's a matter of .htaccess. Windows does not have such a
file, and if you do not have access to site configuration, you will
have to ask your hosting provider to do it for you.

Apache has it regardless the OS (Windows or *nix). I haven't used
IIS for some years, and it didn't support .htaccess at the time, but
if I remember correctly (a high risk proposition) there were ways to
set up similar options.


Windows still does not support .htaccess. I imagine it's because
that's too "simple", and too difficult for them to turn into a mess
of tangled code.

You are missing my point. It's not Windows issue, it's an HTTP server
issue. Apache supports .htaccess in all OS's including Windows, IIS
(which comes with Windows) does not. There are other HTTP servers for
Windows, that may or may not read and implement .htaccess directives.
However IIS uses it's own configuration mechanisms to control server
behavior, .htaccess is (primarily) an Apache configuration mechanism.
Implying IIS not implementing an Apache mechanism is somehow a fault
with IIS would be like saying Apache is deficient because it can't be
configured using IIS Manager. Both servers seem to be able to do the
same things, I just prefer Apache because I don't have to have one set
of files for my development server, and another for my production
server.

You are right. I should have said IIS.

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Josiah Jenkins <josiah-jenkins (AT) somewhere_else (DOT) invalid> writes:

Hey Bub... I'm Harry Putnam <reader (AT) newsguy (DOT) com>, the guy who started
this thread. Instead of acting like you were raised by goats or
something, I'd appreciate you not hi-jacking my thread. Start your
own next time. You've nearly derailed by subject. Someone with
answers to my question or observations about it may well move on and I
don't get the input... but you do. Very ill-mannered.

Fortunately I did get a couple answers.. but with no thanks to you.
On the other hand, its not the greatest offense in the world and it
appears your intentions were no really to bogart the thread,

So on a lighter note please do not grab someones thread and change the
subject, not when a new thread would be in order for your different topic.

Andy Dingley <dingbat (AT) codesmiths (DOT) com> writes:

Quote:

For Apache it's simple config with httpd.conf or .htaccess (web search
for tutorials) and setting Options -Indexes
IIS probably needs a chicken sacrificing to it, I forget.

I heard it was ducks... but may just be rumor... I heard the meat was
greasier and helped the oily tongued sales pitchers.

Lars Eighner <usenet (AT) larseighner (DOT) com> writes:

Quote:

In our last episode, <87k4z1j4sk.fsf (AT) newsguy (DOT) com>, the lovely and talented
Harry Putnam broadcast on comp.infosystems.www.authoring.html:

This may properly belong in some `security' related newsgroup, but I'm
asking here because many here are longtime residents on the web and
will have good knowledge of something simple like this.

With out going to great lengths... how do people prevent casual
observers from viewing contents of directories?

Put a zero length file named one of the default names as set in the server
configuration (usually index.html).

So far I've just included an index.html in every directory.. (Only a
few in my light usage).

Oh, okay you did that.

Why zero length?

Quote:

But I wondered if there is some systematic way of discovering what is
in a web available directory that would by-pass index.html?

What level of security do you want? "Casual observers" are not using
systematic ways of discovering files in directories. Not because they
can't, but because if they do, they are not "casual" observers.

Without going way off the cliff about the existential meaning of
casual. I thought maybe there were common scripts available that any
12-15 yr old hotdog might use... something very easy to do that would
do a quick but systematic search for common file names.

I'm not saying such things exists... I'm asking. To me, if it were easy
enough to dig around... it might still fall into some definition of
casual. But lets not wade around in all that baloney... its clear
enough what I meant.

Someone already posted a sort of answer about how easy it would be in
perl. I asked the same question on a perl list.

You make quite a case about documents and cross purposes etc.

I was thinking of amateurish cgi scripts since they are allowed in any
directory on this particular server.

My worry was that some script kiddie might be able to fiddle my
amateurish cgi scripts. And get at my hosts setup, through some dunce
cap thing I put online. Not something I'd like to see happen.

You answered that concern quite well... thank you.

Harry Putnam wrote:

Quote:

Andy Dingley <dingbat (AT) codesmiths (DOT) com> writes:

For Apache it's simple config with httpd.conf or .htaccess (web search
for tutorials) and setting Options -Indexes
IIS probably needs a chicken sacrificing to it, I forget.

I heard it was ducks... but may just be rumor... I heard the meat was
greasier and helped the oily tongued sales pitchers.

No I believe is it a turkey that is required, or maybe it is *for* a
turkey...

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com