How to Disable Directory Listing on a Web Server
While browsing web pages, most of us expect to see only the pages offered. However sometimes we come upon what looks like a listing of files that we might see in Windows Explorer as opposed to a web page. This is called a directory listing. It is sometimes used to offer files easily on the internet, but if unintended, it can allow an attacker to gain valuable information about your site.
Directory Listings and Why You Might Want to Remove Them
Directory listings can happen in two ways. First, an attacker could view all files in a given web directory. This allows them to see files which might not be linked anywhere on your site, including files which may include sensitive information, such as backup script files (like index.php~ or index.php.bak), htaccess files, or text files with notes (password.txt!)
The other method is more dangerous. Some web servers are setup such that the web home is actually the user home, so passing in certain values in the web address can allow directory listings outside of the normally safe web folder structure. This is more dangerous since an attacker may be able to find and execute programs on your server through a web browser, potentially exploiting those programs as well.
Can Listing Directories Open Me to Attack?
Generally, this is not a security threat as it only allows the attacker to gain information. However the information gathered will help them analyze your site for weaknesses, and could lead to an intrusion down the road. In the worst case, this could allow attackers to attack your web server immediately using special URL's.
However, if one or more directories holds a secret file, such as a password or key file, the attackers may be able to steal it. Additionally, directory traversal can sometimes allow attackers to access files outside the web root directory, leading to the stealing of system files, which can aid in other, additional attacks.
How to Disable Directory Listings in Apache
If you are using the Apache web server, you can disable directory browsing. It is strongly recommend that you follow these steps unless you actually do want to show directories to your users. In that case, it is best to enable the following on all other directories, and make exceptions for the directories you want to show.
Navigate to your Apache config file (httpd.conf)
Open the config file using a text editor like vi (vi httpd.conf)
Search for the directory section of the file where your website resides, and the Options keyword beneath that. It should look something like:
Update the option 'Indexes' from the above, so the line would read instead:
If your config file looks different, that's ok. The only important piece is to make sure that indexes has a minus sign or the only word after options is None. In fact, if you don't need any options, it is best to set it to None in the first place.
If you don't have access to the main Apache configuration, you can do the same thing in each folder of your server by including the same line in your .htaccess files in each subdirectory. This will effectively accomplish the same thing, but be careful to also bar viewing of htaccess files.
Find Insecure Settings on your Webserver