[32218] in bugtraq
Re: Root Directory Listing on RH default apache
daemon@ATHENA.MIT.EDU (Stephen Samuel)
Wed Oct 29 13:12:31 2003
Message-ID: <3F9E2B71.5050403@bcgreen.com>
Date: Tue, 28 Oct 2003 00:40:17 -0800
From: Stephen Samuel <samuel@bcgreen.com>
MIME-Version: 1.0
To: tfm@tfm.org, bugtraq@securityfocus.com
In-Reply-To: <008501c39c87$49855a20$f900a8c0@infinito.it>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
You can fix it by changing the line to:
<LocationMatch "^/*$>
On the other hand, if youc an guess the name of any directory without
it's own index.html file, you'll still get a listing. If you're worried
about people seeing your directories, you should turn off the feature
entirely.
tfm@tfm.org wrote:
....
> ==============================================
>>From /etc/httpd/conf/httpd.conf
> #
> # Disable autoindex for the root directory, and present a
> # default Welcome page if no other index page is present.
> #
> <LocationMatch "^/$>
> Options -Indexes
> ErrorDocument 403 /error/noindex.html
> </LocationMatch>
> ==============================================
....
>
> It's true if you made a request like
>
> GET / HTTP/1.0
>
> Not true if you type:
>
> GET // HTTP/1.0
--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
