homepage Welcome to WebmasterWorld Guest from 54.224.53.192
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Apache server. showing folders, files, etc that were perviously hidd
kahuna

10+ Year Member



 
Msg#: 4554299 posted 1:14 pm on Mar 13, 2013 (gmt 0)

My hosting companies, Apache or Unix servers, are now showing directories, folders and files, that do not have an index.html (etc) type file, or protected with .htaccess file...

This situation did not previously exist. It used to be that a "forbidden" type error was produced if an index "type" file was not present or .htaccess file addressed.

My hosting company, a very large company, is telling me that it is a new version of Apache that is causing this situation. They didn't tell me one way or the other if they were going to correct it.

I find it hard to believe this is not correctable....


Thanks group.

 

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4554299 posted 2:29 pm on Mar 13, 2013 (gmt 0)

to prevent the problem with missing index files, try adding this to your .htaccess file:

Options -Indexes


what directives are you using to protect directories in .htaccess?

kahuna

10+ Year Member



 
Msg#: 4554299 posted 4:05 pm on Mar 13, 2013 (gmt 0)

Options -Indexes

what directives are you using to protect directories in .htaccess?


Thanks... I was already doing that all morning...

I don't really have many protected directories... just the standard password protect, I'm not really having a problem with that.

They used to have a default deny on directory browsing.
They used to have a default deny on the browsing of directories... I only noticed the difference this morning.

I don't have much experience on the server end or Apache... but it was mentioned that "they" should have "a default deny on directory browsing in the httpd.conf " file.

Why they wouldn't do that is beyond me...

Especially considering they have +++1000's of customers and that malicious searches would have access to vulnerable information .

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4554299 posted 9:04 pm on Mar 13, 2013 (gmt 0)

They used to have a default deny on the browsing of directories...

The single line phranque quoted will fix this. The setting
Options -Indexes
or
Options +Indexes

is inherited from top to bottom. So anything you say in your main htaccess file will apply to your entire site. If you want some directories to behave differently, just pop a one-line htaccess file in those.

Your hosts may have changed their minds about which setting to use in the beginning, or they may simply have forgotten to include the line after upgrading. The default in 2.2 and 2.4 is +Indexes. If you want -Indexes you have to say so explicitly. This did not change between 2.2 and 2.4. (I looked it up right now.) If the host has only just upgraded from 1.3 to 2.x I do not want to hear about it ;)

Now, the host's config file should absolutely have a line that makes files with leading . dot invisible to everyone, everywhere, both in directory listings and in browsing. It's not clear from your initial post whether people can now see the .htaccess file in one or both of these situations. If yes, change hosts yesterday. This would be a VAST security hole.

And if you are saying that your own
Options -Indexes
line is being ignored, it is also time to change hosts. "Options" is a separate override that can be enabled even if you're on low-budget hosting that won't let you do other basic things like redirecting.

EXCEPTION: ymmv, but in my setup I can't have the
Options -Indexes
line in the htaccess for my shared userspace (three domains). It has to go separately in each domain.

kahuna

10+ Year Member



 
Msg#: 4554299 posted 12:18 pm on Mar 14, 2013 (gmt 0)

Thank you everybody for your responses. The company has been very good with other situations, and it appears they have made the default to the -Indexes option in their configuration. I checked this morning with some other domains I have with them that I did not adjust.

or they may simply have forgotten to include the line after upgrading. The default in 2.2 and 2.4 is +Indexes. If you want -Indexes you have to say so explicitly....

This may well have been the problem. I can't really imagine having the default "+Indexes" except for training or specifically sharing purposes.

files with leading . dot invisible to everyone

That was not a problem.

Thanks again group!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved