This type of attack exploits a function of the web server that lists all the files within a requested directory if the normal base file is not present.
When a user types in a request for a page on a web site, the web server processes the request, searches the web document root directory for the default file name, and then sends this page to the user. If the server cannot find the page, it will issue a directory listing and send the output in HTML format to the user.
This action allows the contents of unintended directory listings to be disclosed to the user because of software vulnerabilities combined with a specific web request. This information leak can provide an attacker with the information necessary to launch further attacks against the system.
Signature name | Description | More information |
---|---|---|
HTTP_Apache_Macros_dir | Detects an HTTP GET request for the.dS_store or .FBCIndex files. | IBM® X-Force®: Apple Mac OS X used with Apache Web server could disclose directory contents |
HTTP_Tomcat_Nulllist | Checks for a specially-crafted URL designed to obtain a list of directories from an Apache Tomcat servlet container. | IBM X-Force: Apache Tomcat URL appended with a null character could list directories |