HawkScan Test Info for Directory Browsing - Apache 2

Directory Browsing - Apache 2

Reference

Plugin Id: 10033 | CWE: 548

Remediation

To remediate the vulnerability of Directory Browsing in Apache 2, the following steps can be taken:

  1. Disable directory listing: By default, Apache 2 allows directory listing, which can expose sensitive information. To disable directory listing, add the following line to the Apache configuration file (httpd.conf or .htaccess):

    Options -Indexes
    

    This will prevent the server from displaying the directory contents when no index file is found.

  2. Enable index files: To ensure that a specific file is displayed when accessing a directory, configure Apache to use index files. Add the following line to the Apache configuration file:

    DirectoryIndex index.html
    

    This will make Apache look for an index.html file (or any other specified file) and display it instead of the directory listing.

  3. Restrict access: Implement access controls to restrict access to sensitive directories. This can be done using Apache’s mod_authz_host module. For example, to restrict access to a directory based on IP address, add the following lines to the Apache configuration file:

    <Directory /path/to/directory>
        Require ip 192.168.0.0/24
    </Directory>
    

    This will only allow access to the specified directory from the IP range 192.168.0.0/24.

About

The vulnerability of Directory Browsing in Apache 2 allows an attacker to view the contents of a directory on a web server. By accessing a directory without an index file, the server displays a listing of the directory contents. This can expose sensitive information such as hidden scripts, include files, backup source files, etc.

Risks

The risks associated with the Directory Browsing vulnerability in Apache 2 include:

  • Exposure of sensitive information: Directory listings can reveal files that were not intended to be publicly accessible, such as configuration files, database backups, or source code files. This can provide valuable information to an attacker and potentially lead to further exploitation.

  • Information disclosure: By analyzing the directory structure and file names, an attacker can gain insights into the organization’s infrastructure, software versions, and potentially identify other vulnerabilities.

  • Increased attack surface: Directory browsing provides an additional attack vector for an attacker to gather information and plan further attacks. It can be used as a reconnaissance technique to identify potential targets or weaknesses in the web application or server configuration.