A simple security measure

A reader recently asked me this security question:

If a user enters:

http://<my_ip>/<mydirectory>

instead of

http://<my_ip>/<mydirectory>/script.php

They get a listing of all scripts/files in that directory and they can then select and execute/run those scripts.

This is a real concern for us, any suggestions?

The solution is to turn off directory browsing in your Apache configuration. To do this, make sure your Apache configuration file (probably httpd.conf or .htaccess) includes this directive:

Options -Indexes

Note that this directive merely prevents people from discovering the names of your files. Users who already know your file names can still access them. But Options -Indexes provides an important layer of security, preventing mischief from casual users who might otherwise stumble onto your file names by accident or design.

More information: http://httpd.apache.org/docs/2.2/mod/core.html#options

This entry was posted in Apache, PHP, Web development. Bookmark the permalink.

2 Responses to A simple security measure

  1. Are directory indexes honestly on by default when you install apache on an iSeries? Shame on IBM if thats the case.

  2. Alan Seiden says:

    Justin, good question. Zend Server has indexes off (good). As for Zend Core (the older version), its proxy server had indexes off (good) but its workhorse PASE server had them on. That would be fine if everyone used the proxy server to control requests, but some people might have dispensed with the proxy server, potentially landing them in trouble if they did not configure the PASE Apache server carefully.

    Zend Server, which is the current version of PHP on IBM i (iSeries/i5), is fine. There’s only one Apache server, and it is configured with Options -Indexes. Simple and safe.

    In the case of the person who wrote to me, I think he was using Zend Server, so he should have been OK. Perhaps he was experimenting with configurations that he got elsewhere. I will ask him.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>