[3559] in WWW Security List Archive
Re: Alta Vista may or may not harvest unadvertised documents
daemon@ATHENA.MIT.EDU (Alex F)
Fri Nov 15 19:02:42 1996
Date: Fri, 15 Nov 1996 15:57:42 -0500
To: Steven Bellovin <smb@research.att.com>
From: Alex F <alexf@iss.net>
Cc: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
FYI fir the list... Our Web Security Scanner will performed checks for
unindexed directories, listable cgi-bin dirs, guessable cgi-bin dirs, etc.
,etc. For a full list check out http://www.iss.net/prod
Alex F
At 01:32 PM 11/13/96 -0500, Steven Bellovin wrote:
> > True, but almost all of the risk is eliminated if you provide the
> > index.html or what ever your server requires to block enumeration
> > of all files in a directory. While the files may still be accessibl
> e,
> > it would take a real guessing game to find the names.
>
> Or it would take some harvester accessing the directory URL
> during the one period when you'd accidentally erased the
> index.html, or you were in the middle of updating it in a
[snip]
>
>Blatant assertion: servers should refuse to deal with directories without
>explicit index.html files.
[snip]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Alex F - Internet Security Systems
Webmaster/Security Training
alexf@iss.net
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
