Now, personally I don't think it's that much important, but then why not have "automatic" (without needing to configure Apache) security for such a low cost (a few KB on your hard disk)?
So, should I just flood the place with index.html in every directory? Or drop the whole idea?
Jon
Jon,
Seems I started all this
My personal feeling is that given students are naturally very curious and there may well be some who are looking for vulnerabilities, any directory they are able to view might provide them with something the ought not to have.
My current fix has been to use my Cpanel and use index manager to deny access to any directory without an index.htm file.
Since moodle keeps developing and more features (hence directories) are being created, a better solution (blank index.htm) is needed.
Thoughts.
Jeff
In any case, most script directories already have an index.php anyway.
Re: Adding empty index.html files to prevent dir contents disclosure
I have seen interesting thing in Mambo server source codes. Every file that should not be displayed directly starts with:
/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
And those parent files with:
define( "_VALID_MOS", 1 );
skodak
Re: Adding empty index.html files to prevent dir contents disclosure
Re: Adding empty index.html files to prevent dir contents disclosure
Another option to keep directories under control
is to use a "meta redirect" statement on the index page.
Ex.
<html>
--------------------------------------------------------------------------
<head>
<title>Meta Redirect Code</title>
<meta http-equiv="refresh" content="8;url=http://www.anotherpage.com">
</head>
<body style="margin-left:25px; margin-top:25px; margin-right:25px; font-family:verdana; font-size:14px;">
Your browser should be automatically redirected to the new site in just a moment.
</body>
</html>
--------------------------------------------------------
Replace "anotherpage" with whatever page you want
diplayed.This might work for some!--Dave
Mike et al,
Is it easy to configure a server to do what you say? I have a hosted site and am not any server "expert." How would one do what you are suggesting?
Marcus is suggesting
Create an .htaccess file containing the line
Options -indexes
Can this be added to an existing .htaccess file?
Am I to assume this will prevent directory display unless it contains an index.htm or index.php file?
Jeff
If you have CPanel or similar you'll have an option to dis-allow access to directories without indexes. This option should be clearly displayed in your admin panel. If it's not ask your hosting provider why it isn't. It should be.
Did a quick Google. Here's a good tutorial on .htaccess: http://wsabstract.com/howto/htaccess.shtml
mike
Re: Adding empty index.html files to prevent dir contents disclosure
Options -indexes
This will supress the display of indexes (listings of files) both in the directory where that file is and also in any sub-directories.
The .htaccess file can be used to create many apache directives without going to the actual Apache configuration files. For example I get it to point to a custom error display that shows the logo for my site by adding the line
Errordocument 404 / error404.htm
Note the leading full stop in front of the name .htaccess