Directory View of Web Site

Forum Moderators: open

Message Too Old, No Replies

Directory View of Web Site

SeanF

11:47 am on May 17, 2020 (gmt 0)

Hi:

I have a web site which hosts a business management system that was written in PHP/MySQL.

When I "view source" on a page I can see the directory path to images which I expect. if I copy the URL of an image and paste it into a browser, I see the image, which I also expect.

However, if the image happens to be in a subdirectory (or sub-sub-directory) and I remove the image name from the URL, I can view the contents of the directory. I can also navigate up and down the directory tree pretty freely and view files in the various folders. The only restriction seems to be that I can not navigate to the root directory.

How can I stop people for being able to do this?

Thanks

topr8

12:37 pm on May 17, 2020 (gmt 0)

this is a setting in the apache configuration file.

you have indexes turned on

you need to insert the following line in the http.conf file (or possibly uncomment it)

Options -Indexes

you can also do the same in .htaccess

this is for apache 2.2, other versions may differ

[edited by: topr8 at 1:20 pm (utc) on May 17, 2020]

SeanF

1:16 pm on May 17, 2020 (gmt 0)

Thanks for the quick reply. I recently changed hosting companies and the default configuration must be different.

I have the following in my .htaccess file

Options +FollowSymlinks
Options -Indexes FollowSymLinks

(the first line was already there, I added the second)

Now, accessing the web site home page throws a "Forbidden, access denied error"

What am I doing wrong.

not2easy

1:38 pm on May 17, 2020 (gmt 0)

You can't have your cake and eat it too. Comment out one directive or the other. "Options" does not like both + and - it is sort of either/or. Your Options can depend on the Apache version and/or the host's configuration, my advice is generic. Try changing those two lines to only the

Options -Indexes

code.

Another option is to upload a tiny index.php file that will show a blank page to anyone browsing your directories. Paste this text into a blank file and name it "index.php" and put a copy in your directories. It has no effect on anything other than browsing attempts.

<?php
// Nothing here.
?>

SeanF

1:50 pm on May 17, 2020 (gmt 0)

OK, thanks

SeanF

2:14 pm on May 17, 2020 (gmt 0)

Options -Indexes

Works perfectly!

lucy24

3:13 pm on May 17, 2020 (gmt 0)

"Options" does not like both + and - it is sort of either/or.

Combining + and - is fine. Mine, for example, typically say

Options -Indexes +Includes

What Apache doesn't like is leaving out the operator, as in

Options -Indexes FollowSymLinks

In fact the horse's mouth [httpd.apache.org] explicitly says

Mixing Options with a + or - with those without is not valid syntax and will be rejected during server startup by the syntax check with an abort.

(The htaccess equivalent reaction is likely to be a 500 error, since obviously the server has already started.)

Besides, you don't need to say anything about FollowSymLinks in htaccess. Unless you have the world's worst host, any site that permits htaccess will already have this enabled in config--in fact it's on by default--and from there it will be inherited downward.

phranque

1:19 am on May 18, 2020 (gmt 0)

Now, accessing the web site home page throws a "Forbidden, access denied error"

(The htaccess equivalent reaction is likely to be a 500 error, since obviously the server has already started.)

i would always suggest looking for clues in the web server access and error log files in these situations.