-
October 23rd, 2001, 04:50 PM
#1
Index.html
It's sometimes heard that "index dot html locks the directory it is in". I don't kinda trust in this - there must be a way for someone to explore the contents of the directory even if it has got an index.html? I'm of course now talking about the directories (Or whatever folders they are called...) in the WWW, not the ones in someone's own computer... :-) What is the best way to protect the folders then? ".htpasswd" & ".htaccess" of course do the trick (how easy it is to break this?) at their own way, but using them requires a password from the user.
-ZeroOne
Q: Why do computer scientists confuse Christmas and Halloween?
A: Because Oct 31 = Dec 25
-
October 23rd, 2001, 06:42 PM
#2
AFAIK, all the index.htm(l) or default.htm(l) (Depends on your server software and OS!) files do is that they keep the server software from automatically giving the user a directory listing. AFAIK when the user asks for a directory, the server just passes them the default/index page. If there isn't one, the server tries to list the contents of the directory, unless you forbid directory browsing. Most webserver software should have this... You have to select an option to make it forbidden to view directory contents, and that should help even if you don't have a default page.
[HvC]Terr: L33T Technical Proficiency
-
October 24th, 2001, 04:17 PM
#3
Originally posted by Terr
AFAIK, all the index.htm(l) or default.htm(l) (Depends on your server software and OS!) files do is that they keep the server software from automatically giving the user a directory listing.
Yeah, I know that, but the main question was (maybe I didn't ask clearly enough) how is it possible to get the listing if the index.html exists but there are no other protectors? And what is the best way to protect a directory against someone who tries to view its contents?
-ZeroOne
Q: Why do computer scientists confuse Christmas and Halloween?
A: Because Oct 31 = Dec 25
-
October 24th, 2001, 05:02 PM
#4
Member
What type of system and what server are they running?
-
October 25th, 2001, 01:37 PM
#5
Directory listing?
Originally posted by xstonedogx
What type of system and what server are they running?
Apache/1.3.9 (Unix)
-ZeroOne
Q: Why do computer scientists confuse Christmas and Halloween?
A: Because Oct 31 = Dec 25
-
October 25th, 2001, 02:33 PM
#6
Member
Older versions of Apache had several vulnerabilities that would allow the displaying of the directory regardless of the presence of index.html. Unfortunately, the ones I know have been fixed by version 1.3.9.
Some of these involved CGI vulnerabilities such as the test-cgi vulnerability:
http://victimserver/cgi-bin/test-cgi?/*
This would give you a directory listing of the root directory. You can put in any path you like.
Some involved complex URLs that would basically confuse Apache and give you a directory listing instead of the index.html file.
You'll probably want to look for some vulnerability along these lines. Look for a CGI vulnerability. Or attempt to gain access to the server.
Edit: Removed automatic parsing of URLs to keep my example from becoming a link
-
October 25th, 2001, 06:46 PM
#7
Q: Why do computer scientists confuse Christmas and Halloween?
A: Because Oct 31 = Dec 25
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|