preventing casual observation of dir content

This may properly belong in some `security' related newsgroup, but I'm
asking here because many here are longtime residents on the web and
will have good knowledge of something simple like this.

With out going to great lengths... how do people prevent casual
observers from viewing contents of directories?

So far I've just included an index.html in every directory.. (Only a
few in my light usage).

But I wondered if there is some systematic way of discovering what is
in a web available directory that would by-pass index.html?

I guess a miscreant could try different filenames after the slash and
eventually get lucky but that probably isn't much of a likely-hood.

But if there are more sinister and effective ways to discover
filenames inside a directory containing an index.html... are there
simple protections to prevent it?

Harry Putnam wrote:

Quote:

But if there are more sinister and effective ways to discover
filenames inside a directory containing an index.html... are there
simple protections to prevent it?

You don't say what your web server is... Apache? If so, create a file
in your root directory named: .htaccess and put this one line in it:

# Options -Indexes

--
-bts
-Friends don't let friends drive Windows

Gazing into my crystal ball I observed Harry Putnam <reader (AT) newsguy (DOT) com>
writing in news:87k4z1j4sk.fsf (AT) newsguy (DOT) com:

Quote:

This may properly belong in some `security' related newsgroup, but I'm
asking here because many here are longtime residents on the web and
will have good knowledge of something simple like this.

With out going to great lengths... how do people prevent casual
observers from viewing contents of directories?

So far I've just included an index.html in every directory.. (Only a
few in my light usage).

But I wondered if there is some systematic way of discovering what is
in a web available directory that would by-pass index.html?

I guess a miscreant could try different filenames after the slash and
eventually get lucky but that probably isn't much of a likely-hood.

But if there are more sinister and effective ways to discover
filenames inside a directory containing an index.html... are there
simple protections to prevent it?

It depends on the server, and the hosting provider. There are ways to
tell the server not to allow browsing directories.

Most shared hosting providers default to not allowing browsing of
directories. If you want to allow this, then you need to specifically
tell the server.

If directory browsing is enabled, and you want to change that, there are
a few ways. As Beauregard already posted, if you are on Apache, it's a
matter of .htaccess. Windows does not have such a file, and if you do
not have access to site configuration, you will have to ask your hosting
provider to do it for you.

If you do not know which server you are on, you can query
[http://uptime.netcraft.com/up/graph] to find out.

Beauregard has already provided a solution for Apache

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

On 11 Oct, 17:04, Harry Putnam <rea... (AT) newsguy (DOT) com> wrote:

Quote:

With out going to great lengths... how do people prevent casual
observers from viewing contents of directories?

Observers can't view directories. Web servers can view directories,
and they then return the list of content as a web page to the
observer. So switch off that feature, and you're OK. I don't know of
any web server that has this feature where it isn't also switchable as
needed.

For Apache it's simple config with httpd.conf or .htaccess (web search
for tutorials) and setting Options -Indexes
IIS probably needs a chicken sacrificing to it, I forget.

On Sun, 11 Oct 2009 12:18:54 -0400, "Beauregard T. Shagnasty"
<a.nony.mous (AT) example (DOT) invalid> wrote:

Quote:

Harry Putnam wrote:

But if there are more sinister and effective ways to discover
filenames inside a directory containing an index.html... are there
simple protections to prevent it?

You don't say what your web server is... Apache? If so, create a file
in your root directory named: .htaccess and put this one line in it:

# Options -Indexes

I want to do the opposite.

I'm using WAMP to check pages before uploading.
By default, in localhost, index.php opens as a webpage in FF
and I'd prefer to see a file list of the pages in the directory
so that I can select a page to work on.

After some snooping around, I've created an .htaccess file with
the single line : Options +Indexes in the root folder but it doesn't
appear to have had any effect.

Have I missed something or is there a better way to accomplish
what I'm trying to do ?

AFAIK, there are no security issues, the server is off-line.
--


http://www.ian-stewart.eu

Josiah Jenkins wrote:

Quote:

"Beauregard T. Shagnasty" wrote:
You don't say what your web server is... Apache? If so, create a file
in your root directory named: .htaccess and put this one line in it:

# Options -Indexes

I want to do the opposite.

I'm using WAMP to check pages before uploading. By default, in
localhost, index.php opens as a webpage in FF and I'd prefer to see a
file list of the pages in the directory so that I can select a page
to work on.

After some snooping around, I've created an .htaccess file with the
single line : Options +Indexes in the root folder but it doesn't
appear to have had any effect.

Remove or rename index.php to something other than a default page.
Maybe even something simple such as: index1.php
Then the +Indexes will take over.

--
-bts
-Friends don't let friends drive Windows

On Mon, 12 Oct 2009 17:13:14 -0400, "Beauregard T. Shagnasty"
<a.nony.mous (AT) example (DOT) invalid> wrote:

Quote:

Josiah Jenkins wrote:

"Beauregard T. Shagnasty" wrote:
You don't say what your web server is... Apache? If so, create a file
in your root directory named: .htaccess and put this one line in it:

# Options -Indexes

I want to do the opposite.

I'm using WAMP to check pages before uploading. By default, in
localhost, index.php opens as a webpage in FF and I'd prefer to see a
file list of the pages in the directory so that I can select a page
to work on.

After some snooping around, I've created an .htaccess file with the
single line : Options +Indexes in the root folder but it doesn't
appear to have had any effect.

Remove or rename index.php to something other than a default page.
Maybe even something simple such as: index1.php
Then the +Indexes will take over.

That's done the trick (index_1.php)
I had discovered that moving the index file out of the folder also
worked but that's probably a better workaround.

Thanks for the help.
--


http://www.ian-stewart.eu

In article
<721ba766-1f02-4254-8702-b5c9fcfc565b (AT) g31g2000yqc (DOT) googlegroups.com>,
Andy Dingley <dingbat (AT) codesmiths (DOT) com> wrote:

Quote:

With out going to great lengths... how do people prevent casual
observers from viewing contents of directories?

Observers can't view directories. Web servers can view directories,
and they then return the list of content as a web page to the
observer. So switch off that feature, and you're OK. I don't know of
any web server that has this feature where it isn't also switchable as
needed.

This is another "vice versa" query:

I have an account and an associated personal WWW directory on a large
professionally managed university system that runs apache.

From experiment, if I remove the index.html file from my WWW directory,
outside observers who link to <http://www.myUniv.edu/~myUserName/> are
served a system-generated web page listing the contents of my WWW
directory -- **and that's what I want to happen**.

I've been told by one poster in an earlier discussion that this is (or
can be) a security threat, not to me, but to the university system.
But, the experts running the system seem to allow it. Comments?

On 13 Oct, 19:34, AES <sieg... (AT) stanford (DOT) edu> wrote:

Quote:

I have an account and an associated personal WWW directory on a large
professionally managed university system that runs apache. *

From experiment, if I remove the index.html file from my WWW directory,
outside observers who link to <http://www.myUniv.edu/~myUserName/> are
served a system-generated web page listing the contents of my WWW
directory -- **and that's what I want to happen**.

I've been told by one poster in an earlier discussion that this is (or
can be) a security threat, not to me, but to the university system. *
But, the experts running the system seem to allow it. *Comments?

Allowing this, as a general rule, can be a security risk -
specifically look up something called "information leakage", where
telling outsiders any more than they _need_ is considered to be a risk
(anything not essential is an extra risk). In practice though, it's
not a major risk: it's Apache, I already knew (or can guess) how to
attack it from pre-existing knowledge, I don't need the help of a
directory listing.

It's only a credible risk (albeit small) if it allows "system"
information to be viewed. There are directories on a web server that
you don't want outsiders to be able to view, and it's unusual that
they can do so. Competent admins (barely capable and upwards) will
have prevented this. Even if they have though, it wasn't a
particularly big loophole - hackers already know where Apache keeps
things, and they can scan for the rest.

So for a user directory, it's safe to permit directory indexing.

The potential risk worth worrying about is when you have things that
you shouldn't in your user directory, and directory indexing makes
them visible, i.e. "system" stuff has ended up in userspace. Now the
fix for this is to not have the stuff there in the first place! If
you need executable scripts, CGI etc, put them in the right places to
begin with, not pure-data user directories. Making these directories
indexable isn't good, but it's a small risk compared to the big risk
of having them there anyway. This often arises because users have a
legitimate need for scripting, but they're not given a safe route to
doing it.


Becoming a warez drop-box is just scare-mongering. That's because
people had permissions to WRITE to it, not to index it.

Josiah Jenkins wrote:

Quote:

On Mon, 12 Oct 2009 17:13:14 -0400, "Beauregard T. Shagnasty"
a.nony.mous (AT) example (DOT) invalid> wrote:

Josiah Jenkins wrote:

"Beauregard T. Shagnasty" wrote:
You don't say what your web server is... Apache? If so, create a file
in your root directory named: .htaccess and put this one line in it:

# Options -Indexes
I want to do the opposite.

I'm using WAMP to check pages before uploading. By default, in
localhost, index.php opens as a webpage in FF and I'd prefer to see a
file list of the pages in the directory so that I can select a page
to work on.

After some snooping around, I've created an .htaccess file with the
single line : Options +Indexes in the root folder but it doesn't
appear to have had any effect.
Remove or rename index.php to something other than a default page.
Maybe even something simple such as: index1.php
Then the +Indexes will take over.

That's done the trick (index_1.php)
I had discovered that moving the index file out of the folder also
worked but that's probably a better workaround.

Thanks for the help.

If you don't want to have to rename the index_1.php every time you have
to upload it to your production server leave it as index.php, and in
your development server .htaccess enter these two lines

DirectoryIndex xxx.xxx
Options +Indexes

or

#DirectoryIndex index.php
DirectoryIndex xxx.xxx
Options +Indexes

and move the comment (#) back and forth to toggle the effect.

--
Bill