Directory Listing

medium Web App Scanning Plugin ID 98084

Synopsis

Directory Listing

Description

Web servers permitting directory listing are typically used for sharing files.

Directory listing allows the client to view a simple list of all the files and folders hosted on the web server. The client is then able to traverse each directory and download the files.

Cyber-criminals will utilise the presence of directory listing to discover sensitive files, download protected content, or even just learn how the web application is strurctured.

Scanner discovered that the affected page permits directory listing.

Solution

Unless the web server is being utilised to share static and non-sensitive files, enabling directory listing is considered a poor security practice
This can typically be done with a simple configuration change on the server. The steps to disable the directory listing will differ depending on the type of server being used (IIS, Apache, etc.). If directory listing is required, and permitted, then steps should be taken to ensure that the risk of such a configuration is reduced.
These can include:
1. Requiring authentication to access affected pages. 2. Adding the affected path to the `robots.txt` file to prevent the directory contents being searchable via search engines. 3. Ensuring that sensitive files are not stored within the web or document root. 4. Removing any files that are not required for the application to function.

See Also

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Directory_Indexing

Plugin Details

Severity: Medium

ID: 98084

Type: remote

Family: Web Servers

Published: 2/4/2019

Updated: 8/12/2024

Scan Template: api, basic, full, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information