A simple security measure

A reader recently asked me this security question:

If a user enters:
http://<my_ip>/<mydirectory>
instead of
http://<my_ip>/<mydirectory>/script.php

They get a listing of all scripts/files in that directory and they can then select and execute/run those scripts.

This is a real concern for us, any suggestions?

The solution is to turn off directory browsing in your Apache configuration. To do this, make sure your Apache configuration file (probably httpd.conf or .htaccess) includes this directive:

Options -Indexes

Note that this directive merely prevents people from discovering the names of your files. Users who already know your file names can still access them. But Options -Indexes provides an important layer of security, preventing mischief from casual users who might otherwise stumble onto your file names by accident or design.

More information: http://httpd.apache.org/docs/2.2/mod/core.html#options

2 replies
  1. Alan Seiden
    Alan Seiden says:

    Justin, good question. Zend Server has indexes off (good). As for Zend Core (the older version), its proxy server had indexes off (good) but its workhorse PASE server had them on. That would be fine if everyone used the proxy server to control requests, but some people might have dispensed with the proxy server, potentially landing them in trouble if they did not configure the PASE Apache server carefully.

    Zend Server, which is the current version of PHP on IBM i (iSeries/i5), is fine. There’s only one Apache server, and it is configured with Options -Indexes. Simple and safe.

    In the case of the person who wrote to me, I think he was using Zend Server, so he should have been OK. Perhaps he was experimenting with configurations that he got elsewhere. I will ask him.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.