Jump to content

question about directory browsing


afallingpanda

Recommended Posts

hello guys, i was wondering, i wanted to stop people from just typing in the folder root in the url and being able to see the directory browsing page, so instead of placing .htaccess on every folder, i decided to add a index.php to every folder which has a "header("location: ../index.php");".

 

So basically if a user does go to the link of the folders, they get redirected back to the index page.

 

Now my only question is, is this safe and secure as .htaccess? like no one can work their way around it and see the directory browsing somehow?

 

Thanks in advanced.

Link to comment
Share on other sites

Hi afallingpanda, .securing a directory is not only about hiding its contents from the public, sometimes directories contains files (imags, videos, ... etc) which are uploaded by users, in that case as there are many other cases, for example you need to prevent .php files execution on that directory to avoid executing a shell from there.

 

.htaccess can help you in many ways, such as error documents, password protection, enabling SSI via htaccess, blocking users by IP, blocking users/ sites by referrer, change your default directory page, redirects, preventing hot linking of your images and other file types and preventing directory listing.

 

But of course using a .htaccess has its downsides Apache generally discourages its use unless it's overriding a general behavior since it can be slower (if parent folder does not contain .htaccess, it must then check the parent of parent folder for .htaccess on up to the root folder). However that doesn't mean it can't be useful.

 

My advice to you is to use .htaccess file instead of index.php file for redirecting, beacause .htaccess has much more options and capabilities to provide.

 

Edit : typo.

Edited by JIXO
Link to comment
Share on other sites

Hi afallingpanda, .securing a directory is not only about hiding its contents from the public, sometimes directories contains files (imags, videos, ... etc) which are uploaded by users, in that case as there are many other cases, for example you need to prevent .php files execution on that directory to avoid executing a shell from there.

 

.htaccess can help you in many ways, such as error documents, password protection, enabling SSI via htaccess, blocking users by IP, blocking users/ sites by referrer, change your default directory page, redirects, preventing hot linking of your images and other file types and preventing directory listing.

 

But of course using a .htaccess has its downsides Apache generally discourages its use unless it's overriding a general behavior since it can be slower (if parent folder does not contain .htaccess, it must then check the parent of parent folder for .htaccess on up to the root folder). However that doesn't mean it can't be useful.

 

My advice to you is to use .htaccess file instead of index.php file for redirecting, beacause .htaccess has much more options and capabilities to provide.

 

Edit : typo.

So then what would i write in my htaccess file to block the user from browsing my directory?

Link to comment
Share on other sites

Well thats really simple, create the .htaccess file inside the directory you want to prevent listing and write inside :

Options -Indexes

For more customization consider IndexIgnore option, if you do not want specific files to be listed user :

IndexIgnore *.gif *.jpg

This will list all files except files ending with .gif and .jpg, you can also use the wild card * to prevent listing all files,

IndexIgnore *

Hope this helps.

Link to comment
Share on other sites

Or there are many other ways of doing this. You can basically create an index file in the directory and when they access it, they see nothing. Or you can put something you like. Or in PHP, you can make an index file such as index.php and put a redirect in there so when someone access your directory, they get redirected. You can also specify if you want a certain IP to access it too. There are many ways to approach this.

Link to comment
Share on other sites

Well thats really simple, create the .htaccess file inside the directory you want to prevent listing and write inside :

Options -Indexes

 

That will prevent directory listing, but not prevent people from running scripts directly or accessing files that they shouldn't have access to.

 

In such a case, you can use deny from all in an .htaccess file to completely prevent access through Apache to those directories.

 

You can skip the .htaccess and put this directly into the virtual host if you like, which gives you a lot more power and control. For example, you can target specific directories/files with paths that way.

 

EDIT:

Or there are many other ways of doing this. You can basically create an index file in the directory and when they access it, they see nothing. Or you can put something you like. Or in PHP, you can make an index file such as index.php and put a redirect in there so when someone access your directory, they get redirected. You can also specify if you want a certain IP to access it too. There are many ways to approach this.

This really shouldn't be done with PHP; Apache can do it much better.

Edited by scootstah
Link to comment
Share on other sites

That will prevent directory listing, but not prevent people from running scripts directly or accessing files that they shouldn't have access to.

 

In such a case, you can use deny from all in an .htaccess file to completely prevent access through Apache to those directories.

 

You can skip the .htaccess and put this directly into the virtual host if you like, which gives you a lot more power and control. For example, you can target specific directories/files with paths that way.

 

EDIT:

This really shouldn't be done with PHP; Apache can do it much better.

Wait, why use Apache to do this? It totally ignores who can and can't access any file in the subdirectory. What if an admin has the authorization to access and edit the files directly. Are you going to ignore him and say he can't access it because you are using Apache? With PHP, you can do something like this.

 

<?php
if($_SESSION['username'] == "admin") {
// Good news, you are the admin and is allowed to access this file.
} else {
// Looks like you're not the admin. Let's redirect you.
}
?>

OR you can use a specified IP Address to allow or disallow access.

<?php
if($_SERVER['REMOTE_ADDR'] == "YOUR IP") {
// Good news, your IP Address matchs this and you are allowed to access this file.
} else {
// Well now then. Your IP Address doesn't match, let's redirect you.
}
?>

I mean if you use Apache to disallow an access to the directory, you are ignoring the fact that what if the person has authorization to edit other files in the directory? You can however allow a certain IP Address to access the directory using Apache, but if you know anything about IP Address, they change a lot and not every IP Address is correct. It's simple to change one's IP Address. Turn off your router or modem for 6 hours and turn it back on and vow la, you got a new IP Address. Apache can only recoginize IP Address and disallowing if specified. It can't determine if someone is logged in and is an admin and have authorization to access the folder. I mean this isn't the best way to approach it because you really shouldn't let anyone access folders anyways, but using Apache as a means of disallowing has is flaws.

Link to comment
Share on other sites

Wait, why use Apache to do this? It totally ignores who can and can't access any file in the subdirectory. What if an admin has the authorization to access and edit the files directly. Are you going to ignore him and say he can't access it because you are using Apache? With PHP, you can do something like this.

If you have stuff in a directory that you do not want to allow the general public to access, then you should just deny access to the whole directory, or better yet store that stuff outside the webroot so it's not accessible via apache at all.

 

If you have a certain selection of uses that may need to access stuff within that directory, then you create a gateway script in PHP which will verify the user and then serve up the data.

 

That way someone can't just bypass your PHP script and access a file directly should they know the URL.

Link to comment
Share on other sites

Wait, why use Apache to do this? It totally ignores who can and can't access any file in the subdirectory. What if an admin has the authorization to access and edit the files directly. Are you going to ignore him and say he can't access it because you are using Apache? With PHP, you can do something like this.

 

<?php
if($_SESSION['username'] == "admin") {
// Good news, you are the admin and is allowed to access this file.
} else {
// Looks like you're not the admin. Let's redirect you.
}
?>
OR you can use a specified IP Address to allow or disallow access.

<?php
if($_SERVER['REMOTE_ADDR'] == "YOUR IP") {
// Good news, your IP Address matchs this and you are allowed to access this file.
} else {
// Well now then. Your IP Address doesn't match, let's redirect you.
}
?>

I mean if you use Apache to disallow an access to the directory, you are ignoring the fact that what if the person has authorization to edit other files in the directory? You can however allow a certain IP Address to access the directory using Apache, but if you know anything about IP Address, they change a lot and not every IP Address is correct. It's simple to change one's IP Address. Turn off your router or modem for 6 hours and turn it back on and vow la, you got a new IP Address. Apache can only recoginize IP Address and disallowing if specified. It can't determine if someone is logged in and is an admin and have authorization to access the folder. I mean this isn't the best way to approach it because you really shouldn't let anyone access folders anyways, but using Apache as a means of disallowing has is flaws.

 

You're correct that if you want dynamic access control, Apache probably isn't a good fit. However, I don't really see your scenario as being a real-world problem...sounds like poor design to me.

 

I mean if you use Apache to disallow an access to the directory, you are ignoring the fact that what if the person has authorization to edit other files in the directory?

You don't have to disallow an entire directory with Apache; you can also disallow to specific files, or files in a pattern.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.