[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Directory Indexing

To: packback@wi.net (Kyle Johnson)
Subject: Re: Directory Indexing
From: jproy@world.std.com (John P Roy)
Date: Sat, 3 Jan 1998 20:55:46 -0500 (EST)
Cc: pi3-users@johnroy.com
In-Reply-To: <34AE9039.1309F057@wi.net> from "Kyle Johnson" at Jan 3, 98 01:23:38 pm


>
>Hi,
>
>I have just joined this list, so I don't know if this question has been
>asked before, but I was wondering how you turn off Directory Indexing,
>so nobody can look at the diretory listings.  Sometimes you don't want
>people to see everything that is in a directory, but you don't want to
>put a index.html or index.htm file in that directory.  For security
>reasons, I was just wondering how you turn this off.
>
^^^^
Good question.

Well it depends on what you mean by 'turn off', some do an apologetic
'sorry you can't do this', some give misinformation (a fake directory index)
and grap verbose client information to the 'offenders' logfile. However
these two approaches are typical and will be saved across modifications 
via the admin GUI on Windows.

1. Forbid all directory indexes with '403 Forbidden'
----------------------------------------------------
Stop everything, server, admin GUI, break out the text editor on the file
Conf\Config.pi3:

Anyplace between 
#+++---AD Saved Section, modifications will be retained---+++
and
#+++---AD Saved section end---+++
insert
<Object>
	Name NoIndex
	Class FlexibleHandlerClass
	CheckPath RefuseFileByMask AllowFileMask="EFD" RefuseStatus=404
	CheckPath RefuseFileByMask AllowFileMask="F" RefuseStatus=403
</Object>
find the line
#HandlerLine:	Handlers Start Scripts WinScripts FastCGIScripts ISAPI Default
nd replace it with
#HandlerLine:	Handlers Start Scripts WinScripts FastCGIScripts ISAPI NoIndex Default
Exit the editor (saving the file), bring up 'Server Admin' change a minor
detail then change it back in order to enable 'Apply', apply changes, start
the server. All directory indexing will be denied with HTTP 403.

2. Modify the directory indexer to give no index (use this for misinformation)
------------------------------------------------------------------------------
Stop everything, server, admin GUI, break out the text editor on the file
Conf\Config.pi3:

Find 
<Object>
	Name TableHTML
	Class DirectoryIndexClass
	....
Modify down to </Object> so it looks like this (deleting lots of lines)
<Object>
	Name TableHTML
	Class DirectoryIndexClass
	HeaderPattern "<HTML><TITLE>Directory Indexing Forbidden</TITLE><BODY BACKGROUND BGCOLOR="#FFFFFF"><H2>Index of %p</H2>\n"
	FilePattern ""
	FooterPattern "</BODY></HTML>"
</Object>
Exit the editor (saving the file), start the server.
All directory indexing pages will be the short 'forbidden' 
message above with no files listed.

Hope this helps - of course there are a lot of other ploys to stop the
wrong type of information from becoming available. The security conscious
might consider also changing the 'ServerStamp' this is the only way potential
attackers have of knowing which HTTP server is being run (hence which 
weaknesses to exploit) - Pi3Web can masquerable as any other server -
or refuse to give the server stamp, this is a feature many other HTTP
servers lack.

>Thanks,
>Kyle
>packback@wi.net
>

Hope this helps,
John

References:
- Directory Indexing
  - From: Kyle Johnson <packback@wi.net>

Prev by Date: Directory Indexing
Next by Date: Re: help (fwd)
Prev by thread: Directory Indexing
Next by thread: Re: How do I use more then one host??
Index(es):
- Date
- Thread