| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 2 Nov 2003 09:36:45 +0100 From: "M.Hirsch" <M.Hirsch@....de> To: bugtraq@...urityfocus.com Subject: Re: Root Directory Listing on RH default apache Am Dienstag, 28. Oktober 2003 09:40 schrieb Stephen Samuel: > You can fix it by changing the line to: > <LocationMatch "^/*$> great idea... oops: GET /./ HTTP/1.0 > If you're worried > about people seeing your directories, you should turn off the feature > entirely. This sounds much better. Always choose a "deny everything that is not explicitly allowed" policy. M. > You can fix it by changing the line to: > <LocationMatch "^/*$> > > On the other hand, if youc an guess the name of any directory without > it's own index.html file, you'll still get a listing. If you're worried > about people seeing your directories, you should turn off the feature > entirely. > > tfm@....org wrote: > .... > > > ============================================== > > > >>From /etc/httpd/conf/httpd.conf > > > > # > > # Disable autoindex for the root directory, and present a > > # default Welcome page if no other index page is present. > > # > > <LocationMatch "^/$> > > Options -Indexes > > ErrorDocument 403 /error/noindex.html > > </LocationMatch> > > ============================================== > > .... > > > It's true if you made a request like > > > > GET / HTTP/1.0 > > > > Not true if you type: > > > > GET // HTTP/1.0
Powered by blists - more mailing lists