The open directories on your web server contain data that feeds your website. It looks similar to the folder listing you’d find on the hard drive of your computer. Whenever you click a document or music link on a website, that information’s stored on a server within an open directory. Anyone can view any servers connected to the internet if you haven’t added proper security.
How Can An Open Directory Listing Become a Security Issue?
Sometimes users enter a web address without specifying a specific file. When that happens, the web server goes out and looks for a default, like an index.html file. If it doesn’t exist on the server, then there’s a function called directory listing that displays the contents of your directory.
Right away, you can see how this would be a serious security problem. Let’s say you had PDFs or XML files stored on that server that contained personally identifiable information (PII), like social security or driver’s license numbers. If you have that directory listing function turned on, you’re giving anyone with access to the internet full access to that information.
Many web admins assume that if there’s no link to a file, it can’t be accessed. However, many vulnerability scanners can discover your open directory listings if the directory listing function is turned on.
How Else Can Someone Access My Open Directory Listing?
If you have a dynamic web server or WordPress site, you should never turn on directory listing. However, that doesn’t mean that your files are completely safe. Some servers have vulnerabilities that let hackers exploit improper handling of certain characters to get to the files on your web server.
Cyber thieves may also try to get to sensitive information held in your open directory by going through historical or cached data held in online databases. For example, if you had directory listing enabled previously before turning it off, it might still be one of Google’s data caches.
Other vulnerable areas that might lead to data disclosure from an open directory listing include FTP logs or a misconfigured server. Unfortunately, the best security in the world can’t combat these kinds of mistakes. For that reason, you should take steps to remove sensitive information from your open directory listings.
How Can I Clean Up My Open Directory Listing?
If you haven’t done it already, disable the directory listing function. For most popular servers, you’d need to update the configuration file. While it doesn’t offer complete protection, taking that step can prevent bad actors from pulling a list of your files through a single request. However, they can still access them if they know the names of the files.
Ideally, removing the files from view gives visitors an error when they access any directory without an index file. However, once you’ve done that, you should turn your attention to the information held within the directories on your web server. Make sure you remove anything containing PII.
Here are some examples of how you can disable directory listing on commonly used web servers.
Tomcat
Tomcat disables directory listings by default. However, if you enabled it through configuration changes, you’ll need to do the following:
- Open the conf/web.xml file within the directory of your Tomcat server.
- Look for listings in your param-name tag within the servlet tag.
- Update the related param-value tag to false.
IIS
Like Tomcat, IIS keeps directory listing disabled by default. Therefore, if you’ve updated the settings within your IIS web server configuration interface, you’ll need to make an update.
- Go to the IIS console manager.
- Look for the Directory Browsing setting and change it to false.
- Alternatively, you can execute the following command via a command line window:
appcmd set config /section:directoryBrowse /enabled:false
Apache
- Create an .htaccess file within the application directory.
- Add the following lines to your httpd.conf file.
- Remove any Indexes and MultiView statements to disable the directory listing feature safely.
Keep Your Server Information Safe
Havoc Shield helps companies create and implement a security plan that protects their most vulnerable access points. Learn more about our all-in-one security platform by setting up a demo.
