Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Question On General Site Exploiting

  1. Home
  2. Forum
  3. Questions
  4. Question On General Site Exploiting

elmiguel's Avatar

elmiguel

Member
2,795 1

Ok, I have a friend who owns a website. Not very well done. Hes has it through a Very knowing web hosting Company (honestly a shity one to my standards) anyway we were talking and I start to show him the basic changing of the url stuff, if there a way to block it? for instance: http://www.example.com/index.html then to find out whats on the pages http://www.example.com/images/. yada. So back to the point is there a way to block that type of stuff? And is there a way to test or see if it is possible to drop a list of the root folder itself. Then a way to stop it from droping a list. (Cannot release the name of his site per his request)


ghost's Avatar

ghost

0 0

a simple fix would be adding an index.html page in every folder you want "secured" saying

Directory listing not allowed

or something like that.

if you want to ACTUALLY store files in a public place, but restrict access, do some research on "htaccess"


elmiguel's Avatar

elmiguel

Member
2,795 1

Cool, I will read up more on .htaccess, now is there a way to test to see if i could drop a list of the root folder through the url address if that is possible, or is there a different method i should be testing. (Testing Web sites is different out side of HBH, LOL)


ghost's Avatar

ghost

0 0

you cannot drop root in the same fashion.

what happens is, if you point to a directory, and there is NO index.html page, then apache gives a directory listing.

so an index.html page actually protects it pretty well.

but once again, if the location of files is critical to your security, you should probably think about redesigning your site ;)


ghost's Avatar

ghost

0 0

DigitalFire wrote: you cannot drop root in the same fashion.

what happens is, if you point to a directory, and there is NO index.html page, then apache gives a directory listing.

so an index.html page actually protects it pretty well.

hmm i can't believe i wasn't aware of that lol. guess i just never thought about it or noticed it. haha guess you learn something new everyday


richohealey's Avatar

richohealey

Python Ninja
0 0

DigitalFire wrote: you cannot drop root in the same fashion.

what happens is, if you point to a directory, and there is NO index.html page, then apache gives a directory listing.

so an index.html page actually protects it pretty well.

but once again, if the location of files is critical to your security, you should probably think about redesigning your site ;)

Actually you're wrong.

assuming you're using apache, though most httpd's are compliant;

It looks through the default extensions (on my server, .py, .php, .html) looking for default name (defaults to index).

Failing this, it then performs the default action, which DEFAULTS to a dirlisting.

You can point that to a 404 if you want, or just turn DirectoryListing False in httpd.conf


elmiguel's Avatar

elmiguel

Member
2,795 1

Cool, so mainly all I have to do is setup his .htaccess and jst start making path redir if someone tries to change the url. I will search the code bank to see if there are some good scripts to add for other security. Thanks for all the input.