I got a bug assigned to me for "All" components (it started out being only for the calendar) that says we should be preventing dir content disclosure.
Now, personally I don't think it's that much important, but then why not have "automatic" (without needing to configure Apache) security for such a low cost (a few KB on your hard disk)?
So, should I just flood the place with index.html in every directory? Or drop the whole idea?
Jon
Adding empty index.html files to prevent dir contents disclosure
by John Papaioannou -
Number of replies: 13
In reply to John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
by Jeff Wood -
Jon,
Seems I started all this 
My personal feeling is that given students are naturally very curious and there may well be some who are looking for vulnerabilities, any directory they are able to view might provide them with something the ought not to have.
My current fix has been to use my Cpanel and use index manager to deny access to any directory without an index.htm file.
Since moodle keeps developing and more features (hence directories) are being created, a better solution (blank index.htm) is needed.
Thoughts.
Jeff
In reply to Jeff Wood
Re: Adding empty index.html files to prevent dir contents disclosure
by Martin Dougiamas -
It's not really a problem ... there is nowhere that I know of where security depends on files being hidden, and the Moodle source is always open anyway (cvs:/moodle).
In any case, most script directories already have an index.php anyway.
In any case, most script directories already have an index.php anyway.
In reply to John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
by Petr Skoda -
IMHO we should not use empty index.htmls. Instead we should prevent php and html files from displaying anything if called incorrectly.
I have seen interesting thing in Mambo server source codes. Every file that should not be displayed directly starts with:
/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
And those parent files with:
define( "_VALID_MOS", 1 );
skodak
I have seen interesting thing in Mambo server source codes. Every file that should not be displayed directly starts with:
/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
And those parent files with:
define( "_VALID_MOS", 1 );
skodak
In reply to John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
by Ray Kingdon -
I'd drop the index.php idea. This is not really a Moodle issue but how public access web servers should be configured. I'd be inclined to cover this with a sentence or two in the Installation notes or an entry in the Installation FAQ.
In reply to John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
by Mike Churchward -
Seeing as how this is a web server configuration thing, I would say no, don't do that. Besides, I could configure the web server to ignore 'index.html' files too.
Its better that we explain how to hide directories using server settings.
mike
Its better that we explain how to hide directories using server settings.
mike
In reply to Mike Churchward
Re: Adding empty index.html files to prevent dir contents disclosure
by Dave Ray -
Another option to keep directories under control
is to use a "meta redirect" statement on the index page.
Ex.
<html>
--------------------------------------------------------------------------
<head>
<title>Meta Redirect Code</title>
<meta http-equiv="refresh" content="8;url=http://www.anotherpage.com">
</head>
<body style="margin-left:25px; margin-top:25px; margin-right:25px; font-family:verdana; font-size:14px;">
Your browser should be automatically redirected to the new site in just a moment.
</body>
</html>
--------------------------------------------------------
Replace "anotherpage" with whatever page you want
diplayed.This might work for some!--Dave
In reply to Mike Churchward
Re: Adding empty index.html files to prevent dir contents disclosure
by Jeff Wood -
Mike et al,
Is it easy to configure a server to do what you say? I have a hosted site and am not any server "expert." How would one do what you are suggesting?
Marcus is suggesting
Create an .htaccess file containing the line
Options -indexes
Can this be added to an existing .htaccess file?
Am I to assume this will prevent directory display unless it contains an index.htm or index.php file?
Jeff
In reply to Jeff Wood
Re: Adding empty index.html files to prevent dir contents disclosure
by John Gone -
Hi Jeff,
If you have CPanel or similar you'll have an option to dis-allow access to directories without indexes. This option should be clearly displayed in your admin panel. If it's not ask your hosting provider why it isn't. It should be.
If you have CPanel or similar you'll have an option to dis-allow access to directories without indexes. This option should be clearly displayed in your admin panel. If it's not ask your hosting provider why it isn't. It should be.
In reply to Jeff Wood
Re: Adding empty index.html files to prevent dir contents disclosure
by Marcus Green -
Yes, it can be added to an existing .htaccess file. It will prevent the display of any indexing, i.e. file listing. If you have an index.htm file that will show up automatically in the usual way, without actually having to put the index.htm (or html) into the browser URL bar.
In reply to Marcus Green
Re: Adding empty index.html files to prevent dir contents disclosure
by Jeff Wood -
Tnx to everyone for their thoughts and suggestions... I'm off to do them now.
Jeff
In reply to Jeff Wood
Re: Adding empty index.html files to prevent dir contents disclosure
by Mike Churchward -
Hi Jeff -
Did a quick Google. Here's a good tutorial on .htaccess: http://wsabstract.com/howto/htaccess.shtml
mike
Did a quick Google. Here's a good tutorial on .htaccess: http://wsabstract.com/howto/htaccess.shtml
mike
In reply to Mike Churchward
Re: Adding empty index.html files to prevent dir contents disclosure
by Jeff Wood -
Tnx Mike... worked like a charm!
Jeff
In reply to John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
by Marcus Green -
Assuming you are using Apache you can address this issue without creating a flood of empty index.html files. Create an .htaccess file containing the line
Options -indexes
This will supress the display of indexes (listings of files) both in the directory where that file is and also in any sub-directories.
The .htaccess file can be used to create many apache directives without going to the actual Apache configuration files. For example I get it to point to a custom error display that shows the logo for my site by adding the line
Errordocument 404 / error404.htm
Note the leading full stop in front of the name .htaccess
Options -indexes
This will supress the display of indexes (listings of files) both in the directory where that file is and also in any sub-directories.
The .htaccess file can be used to create many apache directives without going to the actual Apache configuration files. For example I get it to point to a custom error display that shows the logo for my site by adding the line
Errordocument 404 / error404.htm
Note the leading full stop in front of the name .htaccess