6

When you put a blank index.html into a given directory on a web server, web browsers will not display a file listing for that directory. But is it secure enough for other purposes other than preventing file listing? Are there other easy ways for unwanted people to display the file list, or access the files, in that directory?

Let's keep the scope within "casual would-be crackers" and personal websites.

Edit: This question is similar, but I believe it's about accessing subfolders: Is it possible to list folder from my web server if i have an empty index.html in the root folder?

Juha Untinen
  • 191
  • 1
  • 1
  • 6
  • _"But is it secure enough for other purposes other than preventing file listing?"_ What are these "other purposes" you're talking about? – Adi Jun 08 '13 at 14:18
  • 1
    By the way, you seem to misunderstand how the directory listing is generated. It's not done by the browser at all — instead, the web server will automatically generate an HTML file with the directory listing. The browser treats it as any other HTML page. – Joel L Jun 08 '13 at 14:23

2 Answers2

6

There isn't anything inherently insecure about the method you describe. However, this isn't the proper way to prevent directory browsing. It is easy to forget to add an empty index.html or index.php file to directories especially if you are managing tens of directories.

You should instead configure your web server appropriately to turn off directory indexing.

This can be done by removing the Indexes directive from the Options line in httpd.conf. If you need to list directory contents for special directories, you can overwrite it in individual directories using the .htaccess file.

  • _"This isn't the proper way to prevent directory browsing. You should instead configure your web server appropriately."_ Why isn't it proper? Is it bad? What are the possible scenarios in which it can be exploited? Any actual security reason? – Adi Jun 08 '13 at 14:15
  • 2
    Also, mental -1 for not answering the question. – Adi Jun 08 '13 at 14:16
  • 2
    @Terry used the phrase "not proper", meaning it's not the best way of achieving the goal. Yes, adding blank index files does work, but it's much cleaner to actually change the site configuration centrally. – Joel L Jun 08 '13 at 14:22
  • @JoelL The question is clear _"How secure is using a blank index.html / index.php?"_. Not "How proper is...?". Plus, this is a security site, answers like this have other places like SuperUser and WebMasters.SE – Adi Jun 08 '13 at 14:42
  • 2
    @Adnan: From a security standpoint: it's fairly easy to forget to add an index.html file, and when Directory indexes are turned on, information that's best kept private might leak. – Joel L Jun 08 '13 at 18:40
  • It is best to shut off displaying directory contents system wide and use .htaccess to display them only where appropriate. – Fiasco Labs Jun 08 '13 at 19:05
  • @JoelL Now, would that have been hard to add to the answer? I say you should write that in an answer of your own, and you'll get my +1 – Adi Jun 08 '13 at 22:14
3

The blank index file is indeed enough. But the proper way of doing that would be to disable directory indexing (in Apache web server you do that by not adding Indexes to vhost options).

This is because if you do that on a per-directory basis, you're liable to forget doing that for all directories you need to "protect". Also, you might come to harm if the default index page name changes (e.g. from index.html to index.php without .html fallback), so that the directory turns out no longer to have a default index.

LSerni
  • 22,670
  • 4
  • 51
  • 60
  • 2
    The blank index file is enough per directory but it is prone to failure. Usually, when you set up security, you want it to fail safe, not fail and leave the castle gates open. As you point out. – Fiasco Labs Jun 09 '13 at 19:19