This was at a time when web security was less of a concern, and access permissions were lax. This is why directory listing should never be turned on, especially when hosting dynamic websites and web applications, such as WordPress sites.Īnother reason why many web servers have directory listing turned on by default is that many older web server releases came with this feature enabled by default for convenience. This is not true, and it is especially not true when directory listing is enabled and black hat hackers can easily find all the files in a directory (in fact, even search engines can index such directories). They assume that if there are no public links to files in a directory, nobody can access them. Many web server administrators still follow the concept of security through obscurity. Why do web server administrators turn directory listing on? However, if the index file did not exist and directory listing was enabled, the web server would instead return the contents of a directory, like a file manager. To start with an example, when a user types in the browser address bar without specifying a file name in the URL (such as index.html, index.php, index.htm, or default.asp), the web server processes this request, returns the index HTML file for that directory (in this case, the /learn/ directory), and the web browser displays the web page. It is dangerous to leave it enabled because it leads to information disclosure.ĭisable directory listing in web server configuration This function should always be turned off. When enabled, it displays the contents of a directory that has no index file. Directory listing What is a directory listing vulnerability?ĭirectory listing is a web server function that can cause a vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |