Directory Indexing
Overview
Directory indexing attacks exploit poorly configured / setup
websites which base the security of sensitive files on the fact users don't
know the URL which references them. By being able to obtain a listing of the
files in particular directories the attacker is able to identify these
sensitive, 'hidden' files and thereby access them. This can provide attackers
with direct access to the information contained in these files. It can also
provide attackers with information which can be used to facilitate future
attacks against the site. Estimates suggest at least
1 out of 20 sites have directory indexing vulnerabilities.
What makes a
site vulnerable?
A site may be vulnerable to directory indexing if the web server on
which it runs is configured to display directory listings and the website does
not provide an index file in each directory on the site. Alternatively, the
site may be vulnerable if it provides index files, and these index files
themselves provide a listing of the directory contents.
Impact of the
attack
Directory indexing allows an attacker to view a list of all files in
a given directory. From this, the attacker can attempt to access these files.
It may be the case that some of these files are not intended to be viewed by
users. The contents of the files, or even the filenames themselves, may provide
the attacker with private user information (credit card details, etc.). There
may be backups of the source code files which (due to an extension such as
.bak) can be opened and viewed by the attacker. Viewing the source code may
facilitate attacks against the site, and may even give up useful information
such as database login details. The directory indexes may also allow the
attacker to identify supposedly hidden functionality, such as admin-only web
pages, which could give the attacker a significant degree of control over the
website.
Preventing the
attack
Directory indexing attacks can be prevented by suppressing the
creation of directory indexes. This can be done in several ways. The web server
can be configured not to generate these indexes. Index files can be put in each
directory which do something other than produce an index (or do nothing at all).
Security mechanisms such as .htaccess files can also be implemented to prevent
indexes from being accessed.
The attack in
the wild
In July 2007, Fox News’ website was found to have
directory indexing enabled.
This vulnerability enabled its discoverer to locate a shell script under the
admin directory which contained the username and password for a Fox News ftp
account. This account contained the names, email addresses and phone numbers of
1.5 million people.