Solved

Viewing a sites files and directories

Posted on 2003-12-04
13
368 Views
Last Modified: 2010-04-11
I am wondering if it is possible to browse through a websites entire structure, similar to an ls(dir) command?  I am making a website and want to know if it is possible for someone to see a folder or file that I do not link to, but put in the sites folder.  Example, if the site is www.mysite.com, and the folder is www.mysite.com/myfolder,  I am wondering if I don't link to this folder, can someone browse my sites structure and see it?  I have the same question with files, if I have www.mysite.com/hidden.html, is it possible to find this file (and any others that are not linked to)?  If there is a way, what is it?  Thank you.
0
Comment
Question by:skabzalot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 

Author Comment

by:skabzalot
ID: 9872969
note:  www.mysite.com is not actually my site, just an example.
0
 
LVL 7

Accepted Solution

by:
MaB earned 125 total points
ID: 9873181
In IIS you would have to right click <default web site> choose properties and home directory. There you have a checkbox called Directory Browsing. With that checked visitors will be able to browse your directory.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 125 total points
ID: 9874279
In IIS and Apache browsing is a feature that can be turned on or off.
If it is turned off, generally one specifies a default document that will be served up when only the directory is specified in the URL, otherwise a 404 error is generated.
Nothing stops a person from fishing for documents unless you place them in an area that requires .htaccess or OS authentication.
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9874527
How to Enable Directory Browsing on Virtual Directories
http://support.microsoft.com/default.aspx?scid=kb;en-us;239053

Creating a Directory Browsing Page Using ASP
http://support.microsoft.com/default.aspx?scid=kb;en-us;224364

WWW and FTP Virtual Directories Are Not Displayed in Directory Listings
http://support.microsoft.com/default.aspx?scid=kb;en-us;247376

HOW TO: Configure Web Server Permissions for Web Content in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;313075
0
 

Author Comment

by:skabzalot
ID: 9877145
so if I turn browsing off, then is there a way to do it?  A program or something?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9877537
There are website 'cloning' applications that start at the homepage and follow all the links.
These utilities aren't much good these days as as java and asp mask a lot of the site, they worked when sites were mostly a collection of static pages.
i.e http://www.bluesquirrel.com/products/grabasite/index.html?ASCID=1161

and one could script a brute force atttack,

but there is no http command that will over-ride the web server setup and enumetate the directories, short of a newly discovered vulnerability.

0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9879398
I know of one program called IntelliTamper that can do this. It does more then just "spider" a site - follow each link on each page to the next page. It can acutally search through a site and find other files that are NOT linked off any existing page. I have tested this, and I just don't understand how it does it!
I used it on a friend's website once to find his resume that he didn't realize was up in his webspace!

http://www.intellitamper.com/

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9879596
"Discover hidden files and folders with a words dictionary search"
A more focused attack than brute force, but the same idea.
0
 
LVL 1

Expert Comment

by:jeaney
ID: 9978000
Just make sure there's an index.html in each directory.
This would ensure that they see a webpage rather than a directory listing.

You could maybe put a redirect into it to bring the attacker to your home page.

0
 
LVL 3

Expert Comment

by:ewall
ID: 10509552
You can help lockdown your site from prying eyes with the following:

* Using the "IndexIgnore *" directive in your .htaccess file (if your webserver is Apache or its copycats) - see http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexignore

* Using a robots.txt file - see http://www.robotstxt.org/

~ewall
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question