How you can disable directory listing on your web server – and why you should

Zbigniew Banach - Fri, 02 Aug 2019 -

This article explains what directory listing, why it can be dangerous, and how to disable it on a variety of web servers, including Apache, Nginx, and Microsoft Internet Information Services (IIS).

Your Information will be kept private.

How you can disable directory listing on your web server – and why you should

Misconfigured or default configuration on web servers may lead to a number of issues that could aid malicious hackers in their attacks. One common web server issue is directory listing. Many leave it enabled by mistake, thus creating an information disclosure issue (leakage of sensitive information) because they are allowing everyone to see all the files and directories on a website.

This article explains what directory listing is and how to:

What is directory listing?

Directory listing is a web server feature that, when enabled, lists the content of a directory with no index file (e.g. index.php or index.html). Therefore, if a request is made to a directory on which directory listing is enabled and there is no index file such as index.php or index.asp, the web server will return a directory listing, even if the directory contains files from a web application. This creates an information leakage issue and attackers can use such information to craft other attacks, including direct impact vulnerabilities such as XSS.

When directory listing is enabled, the content of the directory can be seen via the browser.

As you can see from the picture above, the directory listing feature generates an output similar to the dir or ls command that is run on an operating system. Directory listing issues are the type of issues that an SSL certificate won't protect you from. However, the good news is that these types of issues can be easily identified with an automated web vulnerability scanner.

What information is leaked via directory listing and what is the risk?

Let’s assume that a backup copy of the file config.php, in which the credentials for a database connection are kept in, is in the secret folder, which has directory listing enabled.

If the attacker finds the secret folder by crawling or fuzzing, when he tries to access it directly, e.g. http://www.example.com/secret/ he can see and download the backup files, which contains the database connection details. Now the attacker has the connection details to the web application’s database, allowing them to possibly damage the database or the web application thanks to these credentials.

How to disable directory listing

As a security best practice, it is recommended to disable directory listing. You can disable directory listing by creating an empty index file (index.php, index.html or any other extension your web server is configured to parse) in the relevant directory. Though in many cases this is not the best solution because such files are typically forgotten for example when migrating the web application from development to production environments, or when new directories are added.

So you should implement a permanent and secure solution by disabling directory listing at web server level, as explained in this article.

Disabling directory listing for selected web servers

Disabling directory listing on Tomcat

In Tomcat 5.0, directory listing is disabled by default. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes. We can configure directory listing in two different dimensions: the first one will affect all our web projects and the second one will only affect a specified website.

Disabling directory listing in all web projects

To disable directory listing on the Tomcat web server, open the conf/web.xml file in the directory where Tomcat is installed. In our test on Windows 10, the default installation directory was “C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0”

<servlet>
     <servlet-name>default</servlet-name>
     <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
     <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
     </init-param>
     <init-param>
          <param-name>listings</param-name>
          <param-value>false</param-value>
     </init-param>
     <load-on-startup>1</load-on-startup>
</servlet>

Find the listing part of the <param-name> value in the <init-param> tag. As you can imagine, <param-value> is the determining factor for us in this section. If this field is true and you want to disable directory listing, change this field to false.

You can directly copy and modify the following code:

<servlet>
      <servlet-name>default</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
      <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
</servlet>

Disabling directory listing in a specific web project

In the first method, we configured a general setting that applies to all the web projects running on the server. In this method, we will configure it so that it only affects the website we changed. Open the web.xml file for the relevant web project and add the following code:

<servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping><servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

The default servlet was overridden with the above change. Now, the website we made this change on will run independently of the setting we configured in the first method.

Disabling directory listing on Nginx

The directory listing feature on Nginx is controlled by the ngx_http_index_module. Directory listing is disabled by default on the Nginx configuration file. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes. The Nginx parameter autoindex is used together with the location segment to enable or disable the directory listing feature.

The default configuration file of a Nginx server is called nginx.conf and can be found in /usr/local/nginx/conf, /etc/nginx or /usr/local/etc/nginx. If the default value has been changed, you can see a setting similar to the following:

server {
        listen   80;
        server_name  domain.com www.domain.com;
        access_log  /var/...........................;
        root   /path/to/root;
        location / {
                index  index.php index.html index.htm;
        }
        location /somedir {
               autoindex on;
        }
}

In this section, the determinant parameter is autoindex on; as we mentioned above. In the above example, the directory listing is configured only for the somedir directory. If no directory is specified (e.g. location / {autoindex on;}), the rule will be applied to all the folders. To disable directory listing, we need to switch the value of the autoindex to off. Do not forget to run the below command in order for changes to go into effect:

service nginx restart

Disabling directory listing on LiteSpeed

Similar to all other web servers we've covered so far, on the LiteSpeed web server you can disable directory listing at both web server and website level. To disable directory listing at the server level, you can manually update the httpd_config.xml file. On the other hand, you can also do it by using LiteSpeed server control panel.

httpd_config.xml file:

The configuration XML file of the LiteSpeed web server.

As you can see from the code example in the screenshot above, if you want to disable directory listing at the server level, add the following line to the httpd_config.xml file:

<autoIndex>0</autoIndex>

vhconf.xml:

If you want to enable or disable the directory listing at website level you need to follow the /VIRTUAL_HOST_ADI/conf/vhconf.xml path and make the relevant definitions for the file you access.

Disabling directory listing on Lighttpd

Directory listing is disabled by default on a Lighttpd web server. However, it is possible to disable directory listing from the dirlisting.conf file if it was enabled because of a regression or configuration changes. The configuration file of the mod_dirlisting is /etc/lighttpd/conf.d/dirlisting.conf.

The configuration file of the Lighttpd web server.

To disable directory listing on the server, you must replace the related line with the following:

dir-listing.activate = “disable”

If you want to enable directory listing for a particular directory, you must make the following changes in the configuration file specifically for that directory:

$HTTP[“url”] =~ “^/download($|/)” {
dir-listing.activate = “enable”
}

Disabling directory listing on IIS

The directory listing on the IIS web server is disabled by default. However, it is possible to disable directory listing from the configuration interface of IIS web server if it was enabled because of a regression or configuration changes.

For IIS7 and above, you can disable directory listing from the Directory Browsing settings in the IIS manager console.

You can disable Directory Listing on a Microsoft IIS web server from the Directory Browsing settings.

Or else you can execute the following command in the command line:

appcmd set config /section:directoryBrowse /enabled:false

Disabling directory listing on Apache

In order to disable directory listing on an Apache web server, you have to create a .htaccess file in the related application directory. You can add the following lines to the httpd.conf file or replace the existing lines with the following:

<Directory /{YOUR DIRECTORY}>
Options FollowSymLinks
</Directory>

As you can see from the example code above, you should remove the Indexes and MultiViews statements for the directory listing feature will be disabled safely on an Apache web server.

Vulnerability Classification and Severity Table

Classification ID / Severity
OWASP 2013 A5
CWE 548
CAPEC 127
WASC 16
OWASP-PC C6
CVSS:3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
Netsparker Information

Your Information will be kept private.

Zbigniew Banach

About the Author

Zbigniew Banach

Technical Content Writer at Netsparker. Drawing on his experience as an IT journalist and technical translator, he does his best to bring web security to a wider audience on the Netsparker blog and website.