Application was allowing internal Directories enumeration

Application was allowing internal Directories enumeration

by Sunny Adhatrao -
Number of replies: 3

Hi,

Sensitive directories like a backup. CGI-bin, cache, /privacy/, /cgi-bin/, /rss/, /media/, /report/, /local/, /pix/, /custom/, /customreports/, /install/, /portfolio/, /custom/, /cache/, /pix/lp/, /lang/,/question/, /backup/, /theme/,/JavaScript/, /repository/, /analytics/, /availability/, /webservice/, /favorites/, /plagiarism/, /competency/ were configured in moodle directory.

Now at network level it give 403 Forbidden error.

I want application should always give 404 or generic error for any directory that is being accessed and is not authorised to be viewed.

Please suggest...

Average of ratings: -
In reply to Sunny Adhatrao

Ri: Application was allowing internal Directories enumeration

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
This should be done at the webserver level (even I don't understand why), not at the application level.
Anyway, the right response should be "403 forbidden"
Average of ratings: Useful (1)
In reply to Sergio Rabellino

Re: Ri: Application was allowing internal Directories enumeration

by Sunny Adhatrao -
Thank you for your reply.

It will be possible attacker can use brute force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.
Average of ratings: -
In reply to Sunny Adhatrao

Ri: Re: Ri: Application was allowing internal Directories enumeration

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
IMHO, this can be done anyway if the folder should be accessed by the clients. If you think that these folders should not be accessed, this should be blocked (with a 403 Forbidden) at webserver level, but the specific configuration depends heavily on what web server you are using (apache/nginx/iis or whatever).
Average of ratings: Useful (1)