Let’s talk some Website Security
In terms of your website security, the “Directory Index Vulnerability” (it sounds a little complicated … it really isn’t) simply means that if someone goes to a directory of your website that does not have an index file, they will see a listing of all files in the directory.
When you are building and hosting website, there are several folders (directories) that you’ll find yourself using a great deal and are particularly susceptible to this “Directory Indexing” issue. If you have images on your website (um … and who doesn’t?) or files that you are offering for download, the best practice is to create a folder called “images” as well as a folder called “downloads” within your public_html directory and then stuff the relevant files into the relevant folder.
Doing this means that all your image files will now reside in the below directory:
and your files for download will reside here:
It makes much more sense to add all the Images for your website into one folder, called images, rather than have them cluttering up the place. They are easier to use and to locate and using folders to organize your files will make you more efficient.
Unfortunately, when you create a folder within the public_html folder that contains a collection of files and there is no index.html page for your web browser to show a visitor, your web browser will simply show you a list of the files that are available to you within that folder. This happens when no index.html is present (or another normal base file, such as index.htm, index.php and so on …)
You need to be careful of this, as the whole world has access to this folder and everything you put within it!!!
What Information can be Disclosed?
The below information can be accessed, downloaded or viewed based on directory indexing data alone!:
- Access to all files within directories without an Index file
- Backup files – with extensions such as .bak, .old or .orig
- Temporary files – these are files that are normally purged from the server but for some reason are still available
- Hidden files – with filenames that start with a “.” period. – .htaccess for example
- Naming conventions – an attacker may be able to identify the composition scheme used by the web site to name directories or files. Example: Admin vs. admin, backup vs. back-up, etc…
- Enumerate User Accounts (usually resellers) – personal user accounts on a web server often have home directories named after their user account.
- Configuration file contents – these files may contain access control data and have extensions such as .conf, .cfg or .config
- Script Contents – Most web servers allow for executing scripts by either specifying a script location (e.g. /cgi-bin) or by configuring the server to try and execute files based on file permissions.
To prevent this directory listing, you can use a function in cPanel that will take care of it all for you…
Preventing Directory Indexing using your cPanel
Log in to your cPanel and under the Advanced section, click “Index Manager”. Choose “public_html” or “public_html/images” or “public_html/downloads” or whatever directory you want to change the indexing options for.
The cPanel Index Manager allows you to customize the way a directory will be viewed on the web. You can select between a default style, no indexes, or two types of indexing. If you do not wish for people to be able to see the files in your directory, choose “no indexing”.
- Select the directory in which you wish to begin navigating your website’s contents using the pop-up window.
- To navigate Index Manager, click the folder icon next to the directory name.
- Click the name of the directory for which you want to change the indexing style.
- cPanel offers 4 options; select No Indexing:
- Standard Indexing: Contents appear only as filenames.
- Fancy Indexing: Information about the files, such as the size and time last modified, appear.
- No Indexing: The contents of the directory are not listed; visitors will see a message stating that the contents are “forbidden.” PICK THIS ONE!
- Click Save.
With directory listing/indexing disabled, someone visiting a directory without an index file will now see a forbidden page and not a list of what is potentially dangerous listing of your files!
Preventing Directory Listing using an Index file
VodaHost.com has an image directory and its address is: http://www.vodahost.com/images/, however if you visit it, you will be disappointed! Go on, try to visit the VodaHost images directory …
…If you were brave and tried to visit the VodaHost /images/ directory then you found that instead of being offered a list of all the image files within that directory, you were redirected right back to the VodaHost.com home page!
We have added an Index file to our /images/ directory, which your web-browser loaded automatically. The Index file contains a simple line of HTML code which caused your browser to redirect you to the VodaHost home page.
In order to create such an index file to redirect users away from :
- Open your favorite Text editor (Notepad in Windows, TextEdit in OS X)
- Copy the following code into a new text document, and replace http://www.yourwebsite.com with the home page or a sales page on your website:
<META HTTP-EQUIV=Refresh CONTENT=”0;URL=http://www.yourwebsite.com”>
- Save the text file as: index.html (Note: MAKE SURE you use the .html extension! Do not save this file as a .txt file!)
- Using your cPanel File Manager, or FTP, upload the index.html file you just created into your /images/ or /downloads/ folder.
- That’s it! You’re done. Any time someone visits your images or downloads directories, they will be redirected to a page of your choice!