Live Chat Software by NetForChoice
Knowledgebase
How to Disable, Enable, Allow & Deny Directory Listings in Apache or via .htaccess
Posted by Helpdesk System on 28 March 2016 04:09 PM

Directory Listings and Why You Might Want to Remove Them

Directory listings can happen in two ways. First, an attacker could view all files in a given web directory. This allows them to see files which might not be linked anywhere on your site, including files which may include sensitive information, such as backup script files (like index.php~ or index.php.bak), htaccess files, or text files with notes (password.txt!)

The other method is more dangerous. Some web servers are setup such that the web home is actually the user home, so passing in certain values in the web address can allow directory listings outside of the normally safe web folder structure. This is more dangerous since an attacker may be able to find and execute programs on your server through a web browser, potentially exploiting those programs as well.

Can Listing Directories Open Me to Attack?

Generally, this is not a security threat as it only allows the attacker to gain information. However the information gathered will help them analyze your site for weaknesses, and could lead to an intrusion down the road. In the worst case, this could allow attackers to attack your web server immediately using special URL's.

However, if one or more directories holds a secret file, such as a password or key file, the attackers may be able to steal it. Additionally, directory traversal can sometimes allow attackers to access files outside the web root directory, leading to the stealing of system files, which can aid in other, additional attacks.

How to Disable Directory Listings in Apache

If you are using the Apache web server, you can disable directory browsing. It is strongly recommend that you follow these steps unless you actually do want to show directories to your users. In that case, it is best to enable the following on all other directories, and make exceptions for the directories you want to show.

  • Navigate to your Apache config file (httpd.conf)
  • Open the config file using a text editor like vi (vi httpd.conf)
  • Search for the directory section of the file where your website resides, and the Options keyword beneath that. It should look something like:
    <Directory /home/mywebuser/public_html>
    	Options Indexes 
    </Directory>
    
  • Update the option 'Indexes' from the above, so the line would read instead:
    Options -Indexes

Directory listing feature ( Allow, Deny, Disable, Enable ) via .htaccess file.

When a web browser is pointed to a directory on your web site which does not have an index.html file (or any other index file) in it, the files in that directory can be listed on a web page. Let us see few snippets that can be added in htaccess file to allow or avoid directory listing in apache server.

Enable / Disable directory Listing

To allow a web server to produce a directory listing, whenever you point a directory without index file. Add following line in your .htaccess file.

Options +Indexes

# or #

IndexIgnore *

To disable or prevent the directory access add following line in your .htaccess file. If user points the browsers to a directory which does not have index file then in this case 403 error will be

Options -Indexes

Following is the error page that gets displayed when we try to access any directory without index file.

Change Listing style

You may want to display other details while showing the directory listing. This includes file icons, file size, modification date and more. This can be done by adding fancy style to your htaccess file. Add following snippet in .htaccess file.

IndexOptions +FancyIndexing

To remove the fancy directory listing or to display normal directory listing, use -FancyIndex.

IndexOptions -FancyIndexing

Ignore files with specific extension

It may happen that you may need to ignore certain files to get displayed in directory listing. This can be achieved using IndexIgnore directive in .htaccess file. Following snippet will not display .zip and .txt file in directory listing.

IndexIgnore *.zip *.txt

Modify Index File

It is possible to change the default index file from index.html (index.php, index.jsp …) to any other file. Following line will change the index file to Home.html.

DirectoryIndex Home.html

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
Help Desk Support from NetForChoice