The Pros and Cons of Directory Listings – Index of /admin

A “Directory Listing” is a raw browser display of directory (folder) contents, usually with associated hyperlinks. A server can be configured to display or not display a directory listing, and can be configured at the top server root level down to a specific directory level. Directory listings are presented when the request address ends with a slash / and the default page for that directory is missing.

If a default file exists in a directory that allows directory listings (index.html for example), the server will display that page instead of the listing. If a defasult page cannot be found by the server, a list of files and subdirectories within that directory is displayed (see example below). Most commonly, the files and subdirectories are links to the actual files and subdirectories.

There are benefits from Directory Listings that make life easier. The first, and most obvious, is that there is no requirement to design and develop website content to display the directory contents or links to each item. Large directories of media for distribution are easily broken into subdirectories that indicate their content and so on, allowing simple navigability. Allowing retrieval of many image files, PDF files, or other resources on your server becomes an easy task. Simply adding new files and deleting old files is the only matinenance required. Direcctory Listings automatically update every time a user makes a request.

There are some drawbacks to Directory Listings that make life difficult. Directory listings are blind, and will display any content within regardless of its sensitivity. If you place a file within this directory, it will be offered for retrieval, and permissions to prevent retrieval by unwanted users is required. Simple being able to see the nsame of files and subdirectories is often very bad. Internet Hackers will eventually find your directory listings, especially if there is sensitive content. If your /admin or /etc/ or /var directories can be viewed, your server may become compromised.

If you are going to use Directory Listings on your server, be careful not to place sensitive content into them. Make sure you have permissions set correctly to prevent retrieval of sensitive content that may exist. If you can avoid using Directory Listings, you may sleep better at night.

Since some hackers search for this type of content, it is not uncommon to manufacture a “honeypot” that appears to be the Directory Listing for /admin or for /var or for /etc. The following is an example of both a Directory Listing Honeypot as well as a real Directory Listing.

Index of /password

Leave a Reply