Directory listing in Moodle

Directory listing in Moodle

per Tomasz Muras -
Nombre de respostes: 1
Imatge Core developers Imatge Plugin developers Imatge Plugins guardians Imatge Translators

Hi,


Moodle has some directories without index.php, which may allow for seeing directory listing if your web server is configured this way.

Searching on the tracker, this has been reported few times but always closed as "not a bug", eg see https://tracker.moodle.org/browse/MDL-36815 .

I think that reasoning "Developers do not put there any secrects because everybody can see open source code" is wrong, hiding Open Source code is not the point in preventing directory listing.

Directory listing is harmful because it may:

* give attacker information about exact Moodle version that is used

* give attacker information about modules/plugins used

* give attacker information about possible extra files dropped into Moodle installation


Of course directory listing should be disabled on the server level but by supporting it in application (via trivial addition of empty index.php files), we are helping to secure otherwise less-secure servers. I think it's worth it, what do you think?


cheers,
Tomek


Mitjana de qualificacions: -
En resposta a Tomasz Muras

Re: Directory listing in Moodle

per David Mudrák -
Imatge Core developers Imatge Documentation writers Imatge Moodle HQ Imatge Particularly helpful Moodlers Imatge Peer reviewers Imatge Plugin developers Imatge Plugins guardians Imatge Testers Imatge Translators

Yes and no.

Yes, it does not hurt to add empty index.php files. Even though I personally think it really is the responsibility of the server-side configuration. And file index should definitely be switched off (if nothing else then because it does not look good).

No, it does not add that big protection.

Detecting the Moodle version used is much simpler than one would think. The presence of a plugin can be detected very easily as well. But yes, eventual presence of extra files dropped into the Moodle installation is made easier via this. But honestly, is this a common case?

I believe it has been proven many times that security through obscurity does not really work. The only way to keep your installation safe is to keep it up-to-date. I would not like to give admins false feeling of safety via things like this.

Mitjana de qualificacions:Useful (1)