[21447] in bugtraq
Re: How Google indexed a file with no external link
daemon@ATHENA.MIT.EDU (W. Craig Trader)
Tue Jul 10 12:18:28 2001
Message-ID: <3B4B0DF7.7040506@unicornsrest.org>
Date: Tue, 10 Jul 2001 10:15:19 -0400
From: "W. Craig Trader" <ct7@unicornsrest.org>
MIME-Version: 1.0
To: Kevin <kevin@brasscannon.net>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Kevin ...
I can tell you what's causing it, and how to disable it, but I can't
point you to specific documentation about it.
Kevin wrote:
>
> Looking a bit deeper, I saw googlebot (and later, some ordinary vistors)
> using this syntax:
>
> http://handsonhowto.com/?M=A
> http://handsonhowto.com/?S=D
>
> ...and if you try this yourself in Internet Explorer, you'll find that
> Apache is ignoring my index.html and is giving you a formatted directory
> of the docroot directory as though there were no index page.
>
> The differences between the ?M and the ?S versions are not blatantly
> obvious, at least not to me.
This is a "feature" of the Apache autoindex module:
http://httpd.apache.org/docs/mod/mod_autoindex.html
When you turn on FancyIndexing, the index page includes links for
sorting the directory by Name, file Size, Modification date/time, etc.
You can disable this by setting IndexOptions +SuppressColumnSorting
for any/all directories that have indexing enabled. These links are
apparently interpreted by apache even if the directory has an index
page. Bad Apache -- no biscuit.
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
>
> <Directory /home/http/bcc/images>
> Order Deny,Allow
> Deny from All
> AllowOverride AuthConfig
> </Directory>
>
> <Directory "/home/http">
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> <IfModule mod_dir.c>
> DirectoryIndex index.html
> </IfModule>
>
> <IfModule mod_autoindex.c>
> IndexOptions FancyIndexing
> # Bunch of defaults provided by Apache - snipped
> ReadmeName README
> HeaderName HEADER
> IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
> </IfModule>
I would recommend reading the auto_index module docs and altering your
settings for <Directory "/home/httpd"> accordingly.
- Craig -
--
============= Excellence is a journey, not a destination =============
=============== W. Craig Trader <ct7@unicornsrest.org> ===============
