I got a bug assigned to me for "All" components (it started out being only for the calendar) that says we should be preventing dir content disclosure.
Now, personally I don't think it's that much important, but then why not have "automatic" (without needing to configure Apache) security for such a low cost (a few KB on your hard disk)?
So, should I just flood the place with index.html in every directory? Or drop the whole idea?
Jon
Jon,
Seems I started all this 
My personal feeling is that given students are naturally very curious and there may well be some who are looking for vulnerabilities, any directory they are able to view might provide them with something the ought not to have.
My current fix has been to use my Cpanel and use index manager to deny access to any directory without an index.htm file.
Since moodle keeps developing and more features (hence directories) are being created, a better solution (blank index.htm) is needed.
Thoughts.
Jeff
It's not really a problem ... there is nowhere that I know of where security depends on files being hidden, and the Moodle source is always open anyway (cvs:/moodle).
In any case, most script directories already have an index.php anyway.
In any case, most script directories already have an index.php anyway.
回复John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
IMHO we should not use empty index.htmls. Instead we should prevent php and html files from displaying anything if called incorrectly.
I have seen interesting thing in Mambo server source codes. Every file that should not be displayed directly starts with:
/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
And those parent files with:
define( "_VALID_MOS", 1 );
skodak
I have seen interesting thing in Mambo server source codes. Every file that should not be displayed directly starts with:
/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
And those parent files with:
define( "_VALID_MOS", 1 );
skodak
回复John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
回复John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
Another option to keep directories under control
is to use a "meta redirect" statement on the index page.
Ex.
<html>
--------------------------------------------------------------------------
<head>
<title>Meta Redirect Code</title>
<meta http-equiv="refresh" content="8;url=http://www.anotherpage.com">
</head>
<body style="margin-left:25px; margin-top:25px; margin-right:25px; font-family:verdana; font-size:14px;">
Your browser should be automatically redirected to the new site in just a moment.
</body>
</html>
--------------------------------------------------------
Replace "anotherpage" with whatever page you want
diplayed.This might work for some!--Dave
Mike et al,
Is it easy to configure a server to do what you say? I have a hosted site and am not any server "expert." How would one do what you are suggesting?
Marcus is suggesting
Create an .htaccess file containing the line
Options -indexes
Can this be added to an existing .htaccess file?
Am I to assume this will prevent directory display unless it contains an index.htm or index.php file?
Jeff
Hi Jeff,
If you have CPanel or similar you'll have an option to dis-allow access to directories without indexes. This option should be clearly displayed in your admin panel. If it's not ask your hosting provider why it isn't. It should be.
If you have CPanel or similar you'll have an option to dis-allow access to directories without indexes. This option should be clearly displayed in your admin panel. If it's not ask your hosting provider why it isn't. It should be.
Hi Jeff -
Did a quick Google. Here's a good tutorial on .htaccess: http://wsabstract.com/howto/htaccess.shtml
mike
Did a quick Google. Here's a good tutorial on .htaccess: http://wsabstract.com/howto/htaccess.shtml
mike
回复John Papaioannou
Re: Adding empty index.html files to prevent dir contents disclosure
Assuming you are using Apache you can address this issue without creating a flood of empty index.html files. Create an .htaccess file containing the line
Options -indexes
This will supress the display of indexes (listings of files) both in the directory where that file is and also in any sub-directories.
The .htaccess file can be used to create many apache directives without going to the actual Apache configuration files. For example I get it to point to a custom error display that shows the logo for my site by adding the line
Errordocument 404 / error404.htm
Note the leading full stop in front of the name .htaccess
Options -indexes
This will supress the display of indexes (listings of files) both in the directory where that file is and also in any sub-directories.
The .htaccess file can be used to create many apache directives without going to the actual Apache configuration files. For example I get it to point to a custom error display that shows the logo for my site by adding the line
Errordocument 404 / error404.htm
Note the leading full stop in front of the name .htaccess