Solved

Viewing a sites files and directories

Posted on 2003-12-04
13
362 Views
Last Modified: 2010-04-11
I am wondering if it is possible to browse through a websites entire structure, similar to an ls(dir) command?  I am making a website and want to know if it is possible for someone to see a folder or file that I do not link to, but put in the sites folder.  Example, if the site is www.mysite.com, and the folder is www.mysite.com/myfolder,  I am wondering if I don't link to this folder, can someone browse my sites structure and see it?  I have the same question with files, if I have www.mysite.com/hidden.html, is it possible to find this file (and any others that are not linked to)?  If there is a way, what is it?  Thank you.
0
Comment
Question by:skabzalot
13 Comments
 

Author Comment

by:skabzalot
ID: 9872969
note:  www.mysite.com is not actually my site, just an example.
0
 
LVL 7

Accepted Solution

by:
MaB earned 125 total points
ID: 9873181
In IIS you would have to right click <default web site> choose properties and home directory. There you have a checkbox called Directory Browsing. With that checked visitors will be able to browse your directory.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 125 total points
ID: 9874279
In IIS and Apache browsing is a feature that can be turned on or off.
If it is turned off, generally one specifies a default document that will be served up when only the directory is specified in the URL, otherwise a 404 error is generated.
Nothing stops a person from fishing for documents unless you place them in an area that requires .htaccess or OS authentication.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9874527
How to Enable Directory Browsing on Virtual Directories
http://support.microsoft.com/default.aspx?scid=kb;en-us;239053

Creating a Directory Browsing Page Using ASP
http://support.microsoft.com/default.aspx?scid=kb;en-us;224364

WWW and FTP Virtual Directories Are Not Displayed in Directory Listings
http://support.microsoft.com/default.aspx?scid=kb;en-us;247376

HOW TO: Configure Web Server Permissions for Web Content in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;313075
0
 

Author Comment

by:skabzalot
ID: 9877145
so if I turn browsing off, then is there a way to do it?  A program or something?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9877537
There are website 'cloning' applications that start at the homepage and follow all the links.
These utilities aren't much good these days as as java and asp mask a lot of the site, they worked when sites were mostly a collection of static pages.
i.e http://www.bluesquirrel.com/products/grabasite/index.html?ASCID=1161

and one could script a brute force atttack,

but there is no http command that will over-ride the web server setup and enumetate the directories, short of a newly discovered vulnerability.

0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9879398
I know of one program called IntelliTamper that can do this. It does more then just "spider" a site - follow each link on each page to the next page. It can acutally search through a site and find other files that are NOT linked off any existing page. I have tested this, and I just don't understand how it does it!
I used it on a friend's website once to find his resume that he didn't realize was up in his webspace!

http://www.intellitamper.com/

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9879596
"Discover hidden files and folders with a words dictionary search"
A more focused attack than brute force, but the same idea.
0
 
LVL 1

Expert Comment

by:jeaney
ID: 9978000
Just make sure there's an index.html in each directory.
This would ensure that they see a webpage rather than a directory listing.

You could maybe put a redirect into it to bring the attacker to your home page.

0
 
LVL 3

Expert Comment

by:ewall
ID: 10509552
You can help lockdown your site from prying eyes with the following:

* Using the "IndexIgnore *" directive in your .htaccess file (if your webserver is Apache or its copycats) - see http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexignore

* Using a robots.txt file - see http://www.robotstxt.org/

~ewall
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question