views:

46

answers:

5

On my web site, there is an index page, but if I take out that index page, users will see the files in that directory, for instance my site is : XYZ.com and I have a directory called "My_Dir", so when a user typed in "XYZ.com/My_Dir" he will see the index.html if there is one, but if it's not there, he will see a list of all my files inside "My_Dir", so is it safe to assume that with an index page in any of my sub directories, I can hide all the files in those directories from users, in other words if I have "123.txt, abc.html and index.html" in "My_Dir", users won't be able to see "123.txt, abc.html" because of the existence of "index.html" [ unless of course I mention those two files inside index.html ] ?

Frank

+1  A: 

That's a safe assumption: On most servers (at least with Apache AFAIK) the default page is index.html so it will server that as a web-page instead of showing the file structure.

Just because they can't see the files though doesn't mean they can't guess abc.html or secret.txt. It would be worth learning about MOD_REWRITE (if you're on Apache) or otherwise getting a good sense of the defaults on your server. Do you know what software it's running?

Alex Mcp
No, I don't but I can ask my ISP to turn off dir listing, thanks.
Frank
A: 

This depends very much on your web server, but yes, the default for both Apache and IIS (the most common web servers) is that an index.html page, if present, will always be the default view if you access the directory.

Two important points, though: one is that this is configurable; you can set what page name should be the default view, and you can set whether directory browsing (seeing the list of files) is enabled, even if the default view is not present.

The second point is that the other files in the directory are still accessible, they just won't be listed.

JacobM
A: 

You're right that they won't be able to see them just by visiting the URL that ends in the directory name in a standard browser. If you have other connection options available, though, such as FTP, they are likely to be able to look wherever they want after establishing a valid connection.

General security advice: you should probably set strict permissions on any files that you don't want random people looking at. Of course this will not work on pages you DO want available online (e.g. through links) but could be helpful if you're the kind of person who keeps little notes to yourself in various directories.

Also note Alex's second paragraph (curses, I've been FGIW-ed).

Lord Torgamus
+2  A: 

This is correct. Unless of course these files are never linked anywhere and no one just tries to type various filenames.

To hide files there are better alternatives. On apache for example you can use .htaccess for a password-protection. You can also turn off the directory listing.

neo
+1  A: 

You need to deny directory browsing on your web server.

I am not sure how to do it on Apache, but in

IIS 6

  1. Richt-Click on the particular website under "Web Sites" ex. "Default Web Site"
  2. Click on the "Home Directory" tab
  3. Make sure that "directory browsing" is not checked

IIS7

  1. Click on the particular website under Sites in IIS
  2. Double-Click on the "Directory Browsing"
  3. Click on the Disable link in the right window
Waleed Al-Balooshi