You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ben Laurie <be...@gonzo.ben.algroup.co.uk> on 1996/11/25 19:27:27 UTC

Re: Security hole: force directory listings, avoid index.html

Brian Behlendorf wrote:
> 
> 
> With the current CVS tree:
> 
>   telnet www.apache.org 80
>   GET / HTTP/1.0
>   Accept: image/gif
>  
> What comes back is a directory listing of www.apache.org's root tree, even
> though there's in index.html there.  I consider this a security hole, in so far
> as people are considering index.html's as ways to protect the contents of a
> directory from indexing.  

Interesting. Of course, the type of the returned directory listing is
text/html, which doesn't match any Accept. Should the core catch this and
return an error (which error?).

There's also the question of why it happens in the first place?

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author