Re: Root Directory Listing on RH default apache

From: M.Hirsch (M.Hirsch_at_gmx.de)
Date: 11/02/03

  • Next message: Seth Arnold: "Re: Immunix Secured OS 7+ fileutils update"
    To: bugtraq@securityfocus.com
    Date: Sun, 2 Nov 2003 09:36:45 +0100
    
    

    Am Dienstag, 28. Oktober 2003 09:40 schrieb Stephen Samuel:

    > You can fix it by changing the line to:
    > <LocationMatch "^/*$>

    great idea... oops:
    GET /./ HTTP/1.0

    > If you're worried
    > about people seeing your directories, you should turn off the feature
    > entirely.
    This sounds much better. Always choose a "deny everything that is not
    explicitly allowed" policy.

    M.

    > You can fix it by changing the line to:
    > <LocationMatch "^/*$>
    >
    > On the other hand, if youc an guess the name of any directory without
    > it's own index.html file, you'll still get a listing. If you're worried
    > about people seeing your directories, you should turn off the feature
    > entirely.
    >
    > tfm@tfm.org wrote:
    > ....
    >
    > > ==============================================
    > >
    > >>From /etc/httpd/conf/httpd.conf
    > >
    > > #
    > > # Disable autoindex for the root directory, and present a
    > > # default Welcome page if no other index page is present.
    > > #
    > > <LocationMatch "^/$>
    > > Options -Indexes
    > > ErrorDocument 403 /error/noindex.html
    > > </LocationMatch>
    > > ==============================================
    >
    > ....
    >
    > > It's true if you made a request like
    > >
    > > GET / HTTP/1.0
    > >
    > > Not true if you type:
    > >
    > > GET // HTTP/1.0


  • Next message: Seth Arnold: "Re: Immunix Secured OS 7+ fileutils update"