[Techtalk] help! security experts

[Almut Behrens]

On Mon, Aug 26, 2002 at 11:06:04AM -0700, Kai MacTane wrote:
> At 8/26/02 06:03 AM , Jenn Vesperman wrote:
> 
> >So basically, they're asking for the base directory of the website, with
> >certain parameters. I suspect the parameters mean something to some
> >webservers - it looks to me like it might be a probe of the webserver.
> 
> For Apache, at least, you can use those to specify how the directory output 
> is sorted. N, D, M and S stand for Name, Description, Modified (i.e., "last 
> modification date"), and Size; the A and D that are used as values mean 
> Ascending and Descending sort order.

Anyone interested in the details might want to read:

http://httpd.apache.org/docs/mod/mod_autoindex.html

(scroll down to the section "Autoindex Request Query Arguments")

The apache module mod_autoindex is basically responsible for creating
directory listings when there is no index.html (or whatever name you've
configured for that with the httpd.conf directive DirectoryIndex).

Maybe the server's just inadvertently been configured to generate
directory listings (check whether you've set "Option Indexes" for the
directory in question, and have loaded or compiled in mod_autoindex).

Whether this is something to worry about, depends on the layout of
your site. If you've only got files in your document tree which can be
accessed/downloaded via hyperlinks anyway, then it probably doesn't
matter much having them listed by mod_autoindex, additionally.

If you, on the other hand, have "hidden" files/directories, not meant
for public access, then you probably don't want mod_autoindex to
send out a list of what's available... ;-)
(Sometimes it makes sense to have such hidden files with hard-to-guess
names, not statically referenced from any page. They're merely
protected by the fact that their URL is unknown. For example, you
might have dynamically generated session-id directories like
"/b0fa2de9308bbfb6", being created when someone logs in successfully...)

Cheers,
Almut