On Fri, Mar 12, 2010 at 3:28 PM, <kj...@pintday.org> wrote: >> Very good suggestion, indeed. >> >> Especially, if someone has a 'dangerous' file, a PHP Shell for instance, >> (a perfect example: >> http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz) >> inside such a directory. (Or even maybe a simple file uploader, that will >> help the attacker to upload such 'shell-over-http' files.) > > Also, think "emacs-turdfile". Have any config.php~ lying around? > > or index.php~? > > Are you SURE?
If you have an index.php~ file, then you have an index.php file, and apache won't list the directory contents, so you're safe. Except an attacker can still download index.php~ even without an index. So the change does nothing.
