2

I have a small mongoose web server installed on my machine. I have a empty index.html in the root directory.

I want to be able to share link with people i know, by creating a folder that look like this: 0gzzfiz4pf80mn8dw1k3

So my friend would go to www.mysite.com/0gzzfiz4pf80mn8dw1k3 and be able to download the files i have put in this folder.

Is this a secure way to share file?

I understand that someone could listen in but what i don't want is people browsing www.mysite.com and be able to get a listing of those special folder i created.

EDIT:

Ok, so you need to deactivate directory listing and I would create a index.html file in that folder that redirect to the actual file i want to share with them. I am aware of the MITM problem, not really my concern here.

If I do deactivate directory listing, is there any other way other than brute-force to find my 0gzzfiz4pf80mn8dw1k3 folder?

Matthew
  • 27,263
  • 7
  • 89
  • 101

3 Answers3

3

You can disable directory listing in Mongoose using the following:

./mongoose -d no      [ Runtime ]
d    no               [ Config File ]

But why not password protect the directory with a .htaccess file?

./mongoose -A ./.htpasswd localhost admin pass

You'd still be susceptible to a MITM attack, so use this with SSL. While this may be a simple, lightweight web server, something like a full blown Apache will be much more hardened against exploits.

aus
  • 188
  • 1
  • 8
  • 1
    I recommend password protecting as well because if your friend or anyone you are sharing these files with accesses another website directly after viewing your special page, it will be listed as the referrer in the logs of the destination site. I also have a sneaky suspicion that google crawls referral sites, which means your "secret" link could become indexed by google. – k1DBLITZ Jan 31 '13 at 19:14
  • Wow @k1DBLITZ This would be bad indeed. But for this to be true it would only work if the next site my friend visit is google.com. Otherwise the site visited would get it in his log but google cant crawl each website log? – Benoit Bourgault Jan 31 '13 at 22:22
  • That is correct. Your friend would have to directly visit Google after accessing your page. – k1DBLITZ Jan 31 '13 at 22:28
  • So my only way to have 1 click links that are "safe" are to make those link 1-time use. TYVM @k1DBLITZ. – Benoit Bourgault Feb 01 '13 at 18:48
  • @k1DBLITZ I'm not 100%, but isn't it the case that refers only show up when clicking a link? I.e. if someone is on the site and then types google into the search bar (or hits a bookmark) there will be no referrer. Rather, the referrer only shows up if the site in question actually has a link to google, which is clicked. Ergo, your site would only expose itself via the referrer link if your site actually has links to other sites in it. Is that correct? – Conor Mancone Aug 17 '17 at 13:10
3

The first paragraph of AJHenderson's answer is slightly misleading. It appears to suggest that it's up to the browser to refuse to view the default file and instead get a directory listing.

If it is a default file, then it will end up displaying by default in most browsers

That is incorrect. There's no browser that is able to force the web server to list the directory contents if the the directory is configured to server a default page

You do not have to explicitly configure your web server to prevent listing directories. It is enough to configure it to look for default files (usually index.html, index.php, default.html..) and serve them.

In HTTP there's no Show me teh directoryz plz request. If the web server is configured to serve index.html files by default then there's no way*, AFAIK, to list the files in the directory in which the index.html exist.

Other than that, both answers offer great security advices.


*** Excluding bugs in the web server or brute-force/dictionary crawlers, like IntelliTamper.

Adi
  • 43,953
  • 16
  • 137
  • 168
1

Just to clarify on aus's answer. No, simply putting an index file is not sufficient to prevent directory browsing. If it is a default file, then it will end up displaying by default in most browsers, but you need to actually disable directory browsing as aus mentioned. Also, disabling directory browsing would prevent your friends from accessing the folder unless you turned on directory browsing for that folder particularly.

Password protected access or setting up FTP is the ideal way to handle this situation. You will also want to use SSL (even if just a self signed certificate) to protect the connection. If you self-sign, it will give a warning when your friends try to access it, but they can verify the fingerprint is your server's key and then manually trust the cert to avoid warnings in the future.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110