[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Root Directory Listing on RH default apache

To: tfm@tfm.org, bugtraq@securityfocus.com
Subject: Re: Root Directory Listing on RH default apache
From: Stephen Samuel <samuel@bcgreen.com>
Date: Tue, 28 Oct 2003 00:40:17 -0800

You can fix it by changing the line to:
<LocationMatch "^/*$>

On the other hand, if youc an guess the name of any directory without
it's own index.html file, you'll still get a listing.  If you're worried
about people seeing your directories, you should turn off the feature
entirely.

tfm@tfm.org wrote:
....

==============================================
From /etc/httpd/conf/httpd.conf
# # Disable autoindex for the root directory, and present a # default Welcome page if no other index page is present. # <LocationMatch "^/$> Options -Indexes ErrorDocument 403 /error/noindex.html </LocationMatch> ==============================================

....

It's true if you made a request like

GET / HTTP/1.0

Not true if you type:

GET // HTTP/1.0

--
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
                   http://www.bcgreen.com/~samuel/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.

References:
- Root Directory Listing on RH default apache
  - From: <tfm@tfm.org>

Prev by Date: RE: Mac OS X vulnerabilities ['Virus checked"]
Next by Date: Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI
Previous by thread: Root Directory Listing on RH default apache
Next by thread: SGI Advanced Linux Environment security update #2
Index(es):
- Date
- Thread