Directory Listing and Information Disclosure
Directory listing is a web server function that displays a list of all the files when there is not an index file, such as index.php and default.asp in a specific website directory.
For example, when a user requests www.acunetix.com without specifying a file, the web server will process this request and will return the index file for that directory and the actual website will show up. However, if the index file does not exist, the web server will return a list of the contents of that directory. This functionality can be parallelized with the directory listing command in operating systems’ command line, such as ‘ls’ on Unix and Linux systems and ‘dir’ on Windows. Furthermore, it should be noted that the Directory Listing might be caused as well by exploiting any software vulnerabilities using special requests.
A common mistake webmasters typically do is they assume that if there are no links to a number of files in a directory, nobody can access them. This is not so true since many web vulnerability scanners such as Acunetix WVS, will discover such directories. Thus “security through obscurity” is not the best approach to protect sensitive information. Such information leakage of files in directories might provide enough information for an attacker to craft further attacks against a particular target.
Examples of Attack Scenarios
- As described above, some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all. For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or sub-directories. The improper configuration of this task might result to the unexpected and unintended enabling of directory listing of directories which contain sensitive information.
- Even if Directory Listing is disabled on a web server, attackers might discover and exploit web server vulnerabilities that will result in a directory listing of some specific application directories. For instance, an old Apache Tomcat vulnerability was not properly handling null bytes (%00) and backslash (‘’) characters which were making it prone to directory listing attacks.
- Attackers might discover directory indexes from cached or historical data contained in online databases. For example Google’s Cache database might contain historical data of a target, which previously had directory listing enabled. Such data allows the attacker to gain the information needed without having to exploit vulnerabilities.
Directory Listing and Information Disclosure Example
A user makes a website request to www.vulnweb.com/admin/. The response from the server includes the directory listing content of the directory admin, as seen in the below screenshot.
From the above directory listing, you can see that in the /admin directory there is a sub-directory called backup, which might include enough information for an attacker to craft an attack.
The above directory listing displays the whole content of the backup directory. It includes sensitive information such as password files, database files, FTP logs and PHP scripts. It is obvious that this information was not intended for public view however due to misconfiguration of the web server this has led to information disclosure and the data now is publicly available. Moreover, files like these, such as FTP logs, might contain other sensitive information such as usernames, IP addresses, and complete directory structure of the website users’ Operating Systems.