> It seems inline with OpenBSD's off by default posture, that is > the only reason I suggested it.
Very good suggestion, indeed. Especially, if someone has a 'dangerous' file, a PHP Shell for instance, (a perfect example: http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz) inside such a directory. (Or even maybe a simple file uploader, that will help the attacker to upload such 'shell-over-http' files.) Such shell scripts make quite easy to browse the directories, view the files on the server, (of other vhost users if you like, too many 'config.php' files around, storing plaintext database usernames/passwords) Regards. // Ozgur Kazancci - ----- Brad Tilley <b...@16systems.com> wrote: > On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian" > <pkesh...@gmail.com> wrote: > > does disabling this option /really/ improve security? > > No, not unless you consider keeping files that are > inappropriately/accidentally copied to these directories a security > issue. It seems inline with OpenBSD's off by default posture, that is > the only reason I suggested it. > > > On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley <b...@16systems.com> wrote: > > > When ran against default OpenBSD servers that have Apache enabled, > > > vulnerability assessment software (Nessus, Rapid7, etc.) complain about > > > "browesable web directories". The concern is that someone may > > > accidentally place inappropriate files in the web directories that will > > > then be visible to others. Would it be a good idea to remove the Indexes > > > option from httpd.conf? Admins may enable the option later if they like: > > > > > > # cvs diff -Nup httpd.conf > > > Index: httpd.conf > > > =================================================================== > > > RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v > > > retrieving revision 1.26 > > > diff -N -u -p httpd.conf > > > --- httpd.conf 3 Jun 2009 18:28:21 -0000 1.26 > > > +++ httpd.conf 12 Mar 2010 17:39:06 -0000 > > > @@ -396,7 +396,7 @@ DocumentRoot "/var/www/htdocs" > > > # Note that "MultiViews" must be named *explicitly* --- "Options All" > > > # doesn't give it to you. > > > # > > > - Options Indexes FollowSymLinks > > > + Options FollowSymLinks > > > > > > # > > > # This controls which options the .htaccess files in directories can > > > @@ -601,7 +601,7 @@ CustomLog logs/access_log common > > > Alias /icons/ "/var/www/icons/" > > > > > > <Directory "/var/www/icons"> > > > - Options Indexes MultiViews > > > + Options MultiViews > > > AllowOverride None > > > Order allow,deny > > > Allow from all
