The world wide web has hit Zimbabwe like a pandemic. Almost everyone and even companies have registered their online presences, either on a website or on social platforms. But Cyber security has become some what a foreign language to most, even the Mobile Network Operators (MNOs).
Website Directory Index Vulnerability simply means that if somebody goes to a directory that does not have an index file, they will see a listing of all files in that directory. If the directory contains nothing but publicly-accessible files (such as pictures, PDFs, HTML files, or what-have-you), then the auto-generated index is no less secure than an equivalent manually-generated index.
However if that directory contains scripts written in PHP or ASP or ASP.NET or a other languages where the application files are stored inside the document root mixed in with the media then the auto-generated index may deliver links to files that you didn’t expect to make public. This is even truer if you have “include” files in there as well.
Note that the directory index itself is not a vulnerability and is not a security risk in itself. But it could assist in locating and abusing some other security vulnerability on the site. If you have no such vulnerabilities, then the index does not add any risk on its own.
How to Disable Directory Browsing
Mostly you observe this directory listing in many websites:
- Ex: site.co.zw
Negotiating though directories trying www.site.co.zw/images/ there is a likelihood that an attacker tries to look for hidden directories and there is chance of finding possible web config files too.
The easy way
Navigate to a file called httpd.conf and search for:
Options Indexes FollowSymLinks , you will only need to add ‘ – ‘ before indexes like :
Options -Indexes FollowSymLinks
In IIS 7:
Open IIS manager and navigate to manage, then in “Feature view”. Double-click “Directory browsing”
In “Actions panel” click Disable if directory browsing is enabled.
You will be done.
The hard way
To disable directory browsing on your site, you just need to add a single line of code in your website’s .htaccess file located in the root directory of your website. To edit the .htaccess file you need to connect to your website using an FTP client. If it does not exist, make sure that it is not hidden from your view. This can be done from within your FTP program itself. If .htaccess exists, download it to your computer.
#PS Save a copy of the Current .htaccess The backup is useful in case you accidentally make an error later.
Create or Open the .htaccess File
If you’ve managed to get the .htaccess file, open it in an Notepad++ text editor (like Notepad). If one does not exist, use the editor to create a new blank document. The rest of this article will assume that you have already started the editor with the .htaccess open or with a blank document if no .htaccess file previously existed.
WARNING: do not use a word processor like Word, Office, or WordPad to create or edit your .htaccess file. If you do, your site will without explanation fail to work when you upload the file to your web server. This is very important. There are no exceptions.
Add the following line to your .htaccess file.
We hope this article helped you learn how to disable directory browsing on your site to make your website more secure. For questions and feedback you can leave a comment below or join us on Twitter.