2

TL;DR

  • What are the risks and downsides associated with allowing Options -Indexes to work in arbitrary .htaccess files on a shared Apache web host?

Context

  • Apache web server configuration
  • Linux RHEL host

Background

Trevor is using a shared hosting environment where he does not have access to change the apache httpd.conf settings. As a workaround for this limitation, he attempted to use Options -Indexes in a local .htacess file in order to prevent directory browsing, as specified in this semi-related post: folder and file permission shared host advice (I refer to the accepted answer)

disable directory browsing

Problem

For this particular host, this setting returns an Apache configuration error.

It turns out the sysadmin for this particular host disabled the Options directive, so that it does not work inside .htaccess files, and that is the source of Trevor's woes.

Questions

  • Trevor would like to know what specific risks were intended to be minimized by not allowing Options -Indexes to work in arbitrary .htaccess files on the shared webhost? Was the sysadmin being over-paranoid, or was there really a specific attack vector closed off by this approach?

  • What alternative risk mitigation tasks are available, other than adding an index.html to every sub directory?

See also

dreftymac
  • 371
  • 2
  • 9

2 Answers2

2

Allowing Indexes doesn't only allow disabling them, it also allows quite a bit of other options which could increase the attack surface.

Also, just setting AllowOverride to anything but None has a performance penalty as Apache now looks for .htaccess files in each directory of the requested file's path.

André Borie
  • 12,736
  • 3
  • 40
  • 76
2

Another common solution is to drop an index.php in each folder, with just a comment eg: silence is golden... Every WordPress installs like this.

As @Pinoniq pointed out, this solution would assume index.php is specified as your index file preference.

http://httpd.apache.org/docs/2.2/mod/mod_dir.html#directoryindex

Jacob Evans
  • 171
  • 7
  • the index.php will only work if the web-server is configured to look for index.php as the default document – Pinoniq Sep 21 '15 at 19:10
  • absolutely correct, I'll be more clear – Jacob Evans Sep 21 '15 at 19:11
  • Index.php would unnecessarily invoke the PHP interpreter. You could make that index.html instead to avoid that. Of course the best option is to not create unnecessary files at all and instead use the options the web server provides you to disable directory indexes. – André Borie Jun 28 '16 at 07:37
  • He's running apache and therefore must have unlimited resources – Jacob Evans Jun 28 '16 at 10:52
  • While Apache itself is quite resource intensive, why should we suggest making the problem even worse when we can avoid it? – André Borie Jun 29 '16 at 01:52