Re: Discovering filenames when 'Directory browsing' disabled

On Mar 17, 9:38 pm, "Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx>
wrote:
Well, people can simply guess the filenames I suppose.

If you don't want people being able to access files they shouldn't have
access to, then you should implement an authentication/authorization system,
rather than providing anonymous access.

Cheers
Ken

"Sean S" <Se...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

news:B86F89E5-E731-4490-AE76-A283532B241A@xxxxxxxxxxxxxxxx



Hi all,

How hard (or easy) is it for a site visitor to discover the filenames of
files in directory that has 'Directory browsing' disabled?

I have a contractor who is planning to do this with some files on our site
and need some advice.

Sean.- Hide quoted text -

- Show quoted text -


The correct way to handle "discovery" of filenames that should not be
discovery is either:
1. Enable Authentication
2. Do NOT put those files in a web-accessible directory

The whole purpose of putting files in a web-accessible directory is to
make them available, and HTTP has no provision to control their
access. Thus, your only choices for access control is to either enable
authentication to authorize who can view such files, or don't even
make them available at all.

You *could* use IIsWebFile to deny IIS Read access to the resource,
but then anytime you rename the resource, you must modify the
IIsWebFile's name. Plus, the file is still accessible in the web-
directory, so if you have exploitable script code it can be easily
bypassed to view contents of your web-directory.

As soon as you make them available in the web-directory, want to
secure them, but don't want to enable the built-in Authentication,
then you will have to write your own authentication/authorization
system, which everyone loves to do but no one gets it right. Whenever
you roll your own authenication/authorization system, consider it a
security vulnerability and exploit waiting to happen.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Relevant Pages

  • Re: IIS6 - Integrated Authentication Probs
    ... When you use Basic authentication, ... outlined in Chapter 5 of the IIS 6 Resource Kit: ... > b) - Despite the fact these credentials are being parsed, ... > Hence - this is a general problem with the way the web server is using my ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS6 - Integrated Authentication Probs
    ... So I cant go the whole way with constrained delegation, ... > what makes it more secure that Basic authentication. ... >> credentials to authenticate with the target resource. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... I installed the Resource Kit. ... > mean that kerberos authentication is not being used. ... Three machines are workstations and three are ...
    (microsoft.public.windows.server.security)
  • Re: localhost vs. macinename in URL (access denied)
    ... Impersonation with Integrated Authentication will work if you are accessing ... a resource on the same machine. ... being delegated to allow delegation or change the computer account to allow ...
    (microsoft.public.dotnet.security)
  • Re: HTTP 401.3 error: Please help - Urgent.
    ... You are supposed to be using only Basic authentication, ... Can you try filemon from www.sysinternals.com and see what resource is ... generating access denied and for what user identity. ... in with whatever account that it uses to authenticate in. ...
    (microsoft.public.inetserver.iis)