DefenseCode

Directory Listing Allowed

Risk type:INFORMATIONAL

Description:

Web server misconfigured to show a list of files within a directory can lead to exposing of important files to malicious users.

Example:

Apache web server uses ".htaccess" file to configure directory listing. The following lines within that configuration file allow directory listing of any directory which does not have "index.html" file in it:

Options +Indexes
# or #
IndexIgnore *

To disable directory listing use the following line:

Options -Indexes

Mitigation:

  • Turn off directory listing in your web server configuration file.
  • Only use directory listing options for directories that are absolutely needed.

Further reading:

http://projects.webappsec.org/w/page/13246922/Directory%20Indexing