You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ben Laurie <be...@gonzo.ben.algroup.co.uk> on 1996/11/25 19:27:27 UTC
Re: Security hole: force directory listings, avoid index.html
Brian Behlendorf wrote:
>
>
> With the current CVS tree:
>
> telnet www.apache.org 80
> GET / HTTP/1.0
> Accept: image/gif
>
> What comes back is a directory listing of www.apache.org's root tree, even
> though there's in index.html there. I consider this a security hole, in so far
> as people are considering index.html's as ways to protect the contents of a
> directory from indexing.
Interesting. Of course, the type of the returned directory listing is
text/html, which doesn't match any Accept. Should the core catch this and
return an error (which error?).
There's also the question of why it happens in the first place?
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author