Directory indexing attacks

This type of attack exploits a function of the web server that lists all the files within a requested directory if the normal base file is not present.

About this attack

When a user types in a request for a page on a web site, the web server processes the request, searches the web document root directory for the default file name, and then sends this page to the user. If the server cannot find the page, it will issue a directory listing and send the output in HTML format to the user.

This action allows the contents of unintended directory listings to be disclosed to the user because of software vulnerabilities combined with a specific web request. This information leak can provide an attacker with the information necessary to launch further attacks against the system.

The information leak might include some of these files or user information:

Backup files that use file name extensions, such as BAK, OLD, or ORIG
Temporary files that have been purged from the server, but might still be available
Hidden files with file names that start with a . (period)
Naming conventions where the attacker can determine how the web site names directories or files
Personal user accounts on a web server where the user has named their home directory with the same name as their user account
Configuration file contents that might contain access control data and use file name extensions, such as CONF, CFG, or CONFIG
Directory indexing of the cgi-bin contents that can enable an attacker to download or review script code if permissions are incorrect

In some cases, an attacker might be able to access an unintended directory listing or index by exploiting one of these vulnerabilities:

Web server configured incorrectly to allow or provide a directory index
Web server allows a directory index even though it has been disabled in the configuration file or if an index page is present
Cache database used by Google might contain historical data including directory indexes from past scans of a specific web site

Signatures triggered by this attack

The signatures triggered by directory indexing attacks include:

Table 1. Directory indexing signatures
Signature name	Description	More information
HTTP_Apache_Macros_dir	Detects an HTTP GET request for `the.dS_store` or `.FBCIndex` files.	IBM® X-Force®: Apple Mac OS X used with Apache Web server could disclose directory contents CVE-2001-1446
HTTP_Tomcat_Nulllist	Checks for a specially-crafted URL designed to obtain a list of directories from an Apache Tomcat servlet container.	IBM X-Force: Apache Tomcat URL appended with a null character could list directories CVE-2003-0042