lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 28 Oct 2003 00:40:17 -0800
From: Stephen Samuel <samuel@...reen.com>
To: tfm@....org, bugtraq@...urityfocus.com
Subject: Re: Root Directory Listing on RH default apache


You can fix it by changing the line to:
<LocationMatch "^/*$>

On the other hand, if youc an guess the name of any directory without
it's own index.html file, you'll still get a listing.  If you're worried
about people seeing your directories, you should turn off the feature
entirely.

tfm@....org wrote:
....
> ==============================================
>>From /etc/httpd/conf/httpd.conf
> # 
> # Disable autoindex for the root directory, and present a
> # default Welcome page if no other index page is present.
> #
> <LocationMatch "^/$>
>     Options -Indexes
>     ErrorDocument 403 /error/noindex.html
> </LocationMatch>
> ==============================================
....
> 
> It's true if you made a request like
> 
> GET / HTTP/1.0
> 
> Not true if you type:
> 
> GET // HTTP/1.0


-- 
Stephen Samuel +1(604)876-0426                samuel@...reen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ