Results 1 to 7 of 7

Thread: Index.html

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570

    Question Index.html

    It's sometimes heard that "index dot html locks the directory it is in". I don't kinda trust in this - there must be a way for someone to explore the contents of the directory even if it has got an index.html? I'm of course now talking about the directories (Or whatever folders they are called...) in the WWW, not the ones in someone's own computer... :-) What is the best way to protect the folders then? ".htpasswd" & ".htaccess" of course do the trick (how easy it is to break this?) at their own way, but using them requires a password from the user.

    -ZeroOne
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    AFAIK, all the index.htm(l) or default.htm(l) (Depends on your server software and OS!) files do is that they keep the server software from automatically giving the user a directory listing. AFAIK when the user asks for a directory, the server just passes them the default/index page. If there isn't one, the server tries to list the contents of the directory, unless you forbid directory browsing. Most webserver software should have this... You have to select an option to make it forbidden to view directory contents, and that should help even if you don't have a default page.
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570

    Question

    Originally posted by Terr
    AFAIK, all the index.htm(l) or default.htm(l) (Depends on your server software and OS!) files do is that they keep the server software from automatically giving the user a directory listing.
    Yeah, I know that, but the main question was (maybe I didn't ask clearly enough) how is it possible to get the listing if the index.html exists but there are no other protectors? And what is the best way to protect a directory against someone who tries to view its contents?

    -ZeroOne
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  4. #4
    Member
    Join Date
    Sep 2001
    Posts
    41
    What type of system and what server are they running?

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570

    Question Directory listing?

    Originally posted by xstonedogx
    What type of system and what server are they running?
    Apache/1.3.9 (Unix)

    -ZeroOne
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  6. #6
    Member
    Join Date
    Sep 2001
    Posts
    41
    Older versions of Apache had several vulnerabilities that would allow the displaying of the directory regardless of the presence of index.html. Unfortunately, the ones I know have been fixed by version 1.3.9.

    Some of these involved CGI vulnerabilities such as the test-cgi vulnerability:

    http://victimserver/cgi-bin/test-cgi?/*

    This would give you a directory listing of the root directory. You can put in any path you like.

    Some involved complex URLs that would basically confuse Apache and give you a directory listing instead of the index.html file.

    You'll probably want to look for some vulnerability along these lines. Look for a CGI vulnerability. Or attempt to gain access to the server.

    Edit: Removed automatic parsing of URLs to keep my example from becoming a link

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    Originally posted by xstonedogx
    http://victimserver/cgi-bin/test-cgi?/*
    This would give you a directory listing of the root directory. You can put in any path you like.

    You'll probably want to look for some vulnerability along these lines. Look for a CGI vulnerability. Or attempt to gain access to the server.
    It gives either 404 or 403, depending on server I try... Mostly 404... That "gaining access to a server" sounds a bit illegal... I don't want to hurt anyone/anything, not even the firewall logs , or profit anything, I'm just curious...

    -ZeroOne
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •