Directory Listing Enabled On Mentioned Path
Title:
Found Directory listing Enabled for the following path/s. This can result into exposing sensitive information such as content or code, to the malicious user.
Vulnerability:
What is Directory listing?
Directory listing, as it is named, enable a client to see every one of the file under a folder served by the site. On the off chance that an attacker sees every one of the files (including the source files/codes), one can create attacks that conceivably can by-pass the security checks. This fundamentally elevates the rights of the user increasing chances to web hack and server take-over.
With this vulnerability an attacker could see the contents and directory structure of the web server. In such cases if the configuration setting of the web server are not done securely it could allow the attacker to inject 3rd party malicious code file within the directory (or root folder too) or simply modify the code to grating admin rights access to the attacker and altering content of the web server.
Directory listing could be exploited for various other attacks if the OS level patching and web server level configurations are not done to avoid known exploitable vulnerabilities.
Solution:
Disabling Directory Listing on Tomcat Server
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Disabling Directory Listing on Nginx Server
server {
listen 80;
server_name domain.com www.domain.com;
access_log /var/...........................;
root /path/to/root;
location / {
index index.php index.html index.htm;
}
location /somedir {
autoindex on;
}
}
Disabling Directory Listing on IIS Server
Disabling Directory Listing on Apache Web Server
<Directory /{YOUR DIRECTORY}>
Options FollowSymLinks
</Directory>
