PHP files browsable: is this a vulnerability?

What you're describing is normal directory listing

enter image description here

In itself, directory listing is not a security issue. If the security of your system is compromised after figuring out the structure of your files and directories, then you're relying on security through obscurity, which is bad. Examples of this bad practice include:

  • Using secret directory names to access sensitive files.
  • Limiting the execution privileged functions to only access their URLs rather than using proper permissions.
  • Leaving special doors/backdoors for developers.

However, as part of a good security policy, after implementing proper security measures, it's beneficial to obscure the working parts of your system. The less you show about your system, the less information an attacker can get on you, which means you're making their job more difficult.

"So, what should I do?" you ask. Simple: Disable directory listing in your web server configurations. In Apache, you go to your httpd.conf and find the line where it says

Options Includes Indexes

Remove Indexes from the line, then restart your apache.


To add to the answers of @adnan and @william-calvin:

It "may" be a problem ;)

  1. It does reveal names of files that are only accessible by, for example, authenticated users (Think "change_settings.php" for logged-in users). Now this in itself is not a problem. If his website is well written, then he will perform proper authorization checks before loading each file. From another point of view, a good crawler/spider will "map" all files that are accessible anyways.

  2. If he is messy with backups files (think: secret.bak or blah.php.old), then other will be able to read these files. This is also the case for quick phpinfo() and db_dump.sql files.

  3. He may include files, and have these with a non-php extension, such as db.inc, depending on your apache setup, an attacker may be able to read these.

So, as explained by the others - it is bad practice. It gives out more information then it should.


Yes.. This is definitely an issue.

If I know your structure, I will be able to get better understanding of your system which makes me easier to attack your system.

It is recommended to turn off your directory listing (See this tutorial if you are on CPanel)

The less hackers know, the harder they need to think..

Tags:

Php

Webserver

Related

SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? Can "cat-ing" a file be a potential security risk? SSH: benefits of using hashed known_hosts Does the ARM TrustZone technology support sealing a private key under a code hash? What security mechanisms are used in BGP and why do they fail? How many Stack Exchange logins should I have? How does SFTP function without a manually generated public/private key pair nginx - How to prevent processing requests with undefined server names with HTTPS Is Google Chrome Extension access to SSL certificate validation output possible? Is it possible to use SSH agent for generic data encryption? Can anyone DDOS my server with jmeter? Do they need a powerful server for that? Securing passwords for REST Authentication

Recent Posts