Directory indexing attacks

This type of attack exploits a function of the web server that lists all the files within a requested directory if the normal base file is not present.

About this attack

When a user types in a request for a page on a web site, the web server processes the request, searches the web document root directory for the default file name, and then sends this page to the user. If the server cannot find the page, it will issue a directory listing and send the output in HTML format to the user.

This action allows the contents of unintended directory listings to be disclosed to the user because of software vulnerabilities combined with a specific web request. This information leak can provide an attacker with the information necessary to launch further attacks against the system.

The information leak might include some of these files or user information:
  • Backup files that use file name extensions, such as BAK, OLD, or ORIG
  • Temporary files that have been purged from the server, but might still be available
  • Hidden files with file names that start with a . (period)
  • Naming conventions where the attacker can determine how the web site names directories or files
  • Personal user accounts on a web server where the user has named their home directory with the same name as their user account
  • Configuration file contents that might contain access control data and use file name extensions, such as CONF, CFG, or CONFIG
  • Directory indexing of the cgi-bin contents that can enable an attacker to download or review script code if permissions are incorrect
In some cases, an attacker might be able to access an unintended directory listing or index by exploiting one of these vulnerabilities:
  • Web server configured incorrectly to allow or provide a directory index
  • Web server allows a directory index even though it has been disabled in the configuration file or if an index page is present
  • Cache database used by Google might contain historical data including directory indexes from past scans of a specific web site

Signatures triggered by this attack

The signatures triggered by directory indexing attacks include:
Table 1. Directory indexing signatures
Signature name Description More information
HTTP_Apache_Macros_dir Detects an HTTP GET request for the.dS_store or .FBCIndex files. IBM® X-Force®: Apple Mac OS X used with Apache Web server could disclose directory contents

CVE-2001-1446

HTTP_Tomcat_Nulllist Checks for a specially-crafted URL designed to obtain a list of directories from an Apache Tomcat servlet container. IBM X-Force: Apache Tomcat URL appended with a null character could list directories

CVE-2003-0042