Directory Listing vulnerability allows showing a list of directories and files on the server side for a directory path specified in the URL. The web server on the victim site can be configured to list the directory content if an index file (such as "index.html", "index.php", "default.jsp") does not exist. Even when the directory listing is disabled, an attacker is able to use search engines with a combination of the victim’s domain name to find the directory content for the target path which had previously enabled the directory listing setting. In addition, an attacker may guess the location of sensitive files using automated tools.
Impact
This vulnerability allows an attacker to:
Expose directory architecture of the web application
Get file information (filename, creation time, size)
Gain source code of your application or configuration files
Determine used third party libraries and their versions
Download logs or database dumps
Example
The directory listing is enabled on the web server where your website is located. The "config" folder is in the web root folder and does not have an index file.
A user makes the following request:
https://www.{your_web_site}.com/config
The response shows the directory content of the "config" folder :
Change the directory structure and move sensitive files (configs, source code, logs, dumps) above the web root folder of the web application.
If it is impossible to disable the directory listing, then put an index file (such as "index.htm") into each directory which is below the web root folder, so your web server will display this file instead of displaying the directory content.