Directory indexing attacks

Directory indexing attacks exploit a function of the web server that lists all the files within a requested directory if the normal base file is not present.

About this attack

When a user types in a request for a page on a website, the web server processes the request, searches the web document root directory for the default file name, and then sends this page to the user. If the server cannot find the page, it issues a directory listing and send the output in HTML format to the user.

This action allows the contents of unintended directory listings to be disclosed to the user because of software vulnerabilities that are combined with a specific web request. This information leak can provide an attacker with the information necessary to launch further attacks against the system.

The information leak might include some of these files or user information:
  • Backup files that use file name extensions, such as BAK, OLD, or ORIG
  • Temporary files that are purged from the server, but might still be available
  • Hidden files with file names that start with a . (period)
  • Naming conventions where the attacker can determine how the website names directories or files
  • Personal user accounts on a web server where the user names their home directory with the same name as their user account
  • Configuration file contents that might contain access control data and use file name extensions, such as CONF, CFG, or CONFIG
  • Directory indexing of the cgi-bin contents that can enable an attacker to download or review script code if permissions are incorrect
In some cases, an attacker might be able to access an unintended directory listing or index by exploiting one of these vulnerabilities:
  • Web server that is configured incorrectly to allow or provide a directory index
  • Web server allows a directory index even though it is disabled in the configuration file or if an index page is present
  • Cache database that is used by Google might contain historical data that includes drectory indexes from past scans of a specific website

Signatures triggered by this attack

The signatures that are triggered by directory indexing attacks include:
Table 1. Directory indexing signatures
Signature name Description More information
HTTP_Apache_Macros_dir Detects an HTTP GET request for the.dS_store or .FBCIndex files. IBM® X-Force®: Apple Mac OS X used with Apache Web server could disclose directory contents

CVE-2001-1446

HTTP_Tomcat_Nulllist Checks for a specially crafted URL designed to obtain a list of directories from an Apache Tomcat servlet container. IBM X-Force: Apache Tomcat URL appended with a null character could list directories

CVE-2003-0042