Directory Listing

Severity: Medium
Test name: Directory Listing
Summary

Directory Listing vulnerability allows showing a list of directories and files on the server side for a directory path specified in the URL. The web server on the victim site can be configured to list the directory content if an index file (such as "index.html", "index.php", "default.jsp") does not exist. Even when the directory listing is disabled, an attacker is able to use search engines with a combination of the victim’s domain name to find the directory content for the target path which had previously enabled the directory listing setting. In addition, an attacker may guess the location of sensitive files using automated tools.

Impact

This vulnerability allows an attacker to:

  • Expose directory architecture of the web application
  • Get file information (filename, creation time, size)
  • Gain source code of your application or configuration files
  • Determine used third party libraries and their versions
  • Download logs or database dumps
Example
  1. The directory listing is enabled on the web server where your website is located. The "config" folder is in the web root folder and does not have an index file.
  2. A user makes the following request:
https://www.{your_web_site}.com/config
  1. The response shows the directory content of the "config" folder :
.git/                   2021-05-01 17:00  -
environment/            2021-05-01 17:00  -
db.php                  2021-05-01 17:00  333
params.php              2021-05-01 17:00  3.3K
db_dump.sql             2021-05-01 17:00  300K
install.log             2021-05-01 17:00  30M
Location

The issue can be found in the server configuration.

Remedy suggestions
  • Disable the directory listing setting on your web server by changing the web server configuration.
    • Apache
    <Directory /var/www/your_web_site.com>
        Options -Indexes
    </Directory>
    
    • Nginx
    location /var/www/your_web_site.com {
        autoindex off;
    }
    
  • Change the directory structure and move sensitive files (configs, source code, logs, dumps) above the web root folder of the web application.
  • If it is impossible to disable the directory listing, then put an index file (such as "index.htm") into each directory which is below the web root folder, so your web server will display this file instead of displaying the directory content.
Classification
  • CWE-548
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References