Report page visible to web

Report page visible to web

by Nick Gault -
Number of replies: 3

Whilst troubleshooting another issue I noticed that the http://mymoodlesite/report directory is visible whilst signed out.

Clicking on any of the links does take me to the sign in page however. 

I have been unable to find any relevant information about this  - my apache.conf does not explicitly deny Indexes but it does have an Indexes FollowSymLinks option active.


Does this page need to be visible? If not, what is the best method of securing it?

Attachment report.png
Average of ratings: -
In reply to Nick Gault

Re: Report page visible to web

by Ken Task -
Picture of Particularly helpful Moodlers

Apache server defines what files are used as 'default' files to be served when a request from a browser has only a directory .. like http://site/somedirectory/  Apache checks to see if there exist an index.html or an index.php file present.  If so, it serves that out.

So ... to prevent the viewing of raw directories, one could create a 'blank' (contains nothing ... not even html) in that directory.

If on linux, one could cd full_path__to/that/directory.

Then via this command create a 'blank' index.html:

touch index.html

That creates a 0 byte/blank file (ie, nothing in it) by  the name index.html.

Then, use any browser, don't log into the moodle, just go directly to https://site/path/to/directory/ and see what you get .... what you'll get is a blank page ... white screen ... with no hidden links etc.

'spirit of sharing', Ken

Average of ratings: Useful (1)
In reply to Ken Task

Re: Report page visible to web

by Nick Gault -

Thanks Ken!

That did the trick - although I am left wondering why this page is open - does it serve any purpose?

Other instances of Moodle are exhibiting the same behaviour.

Average of ratings: -
In reply to Nick Gault

Re: Report page visible to web

by Ken Task -
Picture of Particularly helpful Moodlers

Welcome.

It's not a "page" but an Apache setting that allows the web service to display the contents of a directory without a default index page .. like index.html or index.php (default.html or default.php on Windows platforms).

And, yes, one can find directories in Moodle code that don't have a default index.html file nor a default index.php in them.

Some consider that setting in Apache to be a security issue and not desired behavior they want their web server to exhibit.   Others not so much so.

If one knows how to use that, could be of benefit depending upon your view of security.

Please see:
https://wiki.apache.org/httpd/DirectoryListings

Real life usage ... I have a directory called 'docs' that I use to copy readme files from various open source apps installed on server.  I link directly to files there from a system Admin course(s) in moodles.   The directory itself would be served out, but I don't ewant Google to index .. instead, I link directly to files contained therein.

Don't mind sharing what that looks like:
https://sos.tcea.org/docs/
begets a "Yep!" page.  That's the index.html file.

https://sos.tcea.org/docs/solrreadme.txt
however, I can read the readme of solr via browser while I am working via command line on solr and have that readme as reference to revisit solr should I need to.
(that's an old solr readme BTW).

Now to protect that area further, I could use an .htaccess file there that would restrict access by IP address so that only my home connection IP would be granted access to anything in that directory. Note: that is also something else one should not use with Moodle unless you know what you are doing.

BTW, I use that server daily ... I do get a daily logwatch report ... and if I were to see too much poking and probing at the server I do have the ability to 'blackhole' an IP address or blocks of IP addresses from even seeing the server at the network level.  Linux is capable of being a router.

I have done that with that server.  There are certain IP's and blocks of IP's that can no longer see that server.

'spirit of sharing', Ken


Average of ratings: -