Jump to content

Archived

This topic is now archived and is closed to further replies.

www.in.no

Block access to apache default folders

Recommended Posts

I am playing around with the free pci scan at mcaffe, and have some mathers that it find.

 

There are some default folders of apache that is listed as directory listning. Can i block them in htaccess or do i need to get the host to disable in http.conf

Share this post


Link to post
Share on other sites

the htaccess contrib given on How to secure your site: http://forums.oscommerce.com/index.php?showtopic=313323 includes code to prevent directory listing.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I know and have used that one.

 

The problem it is global directories from the apache installation and it wont block on my side. It's the basic stuff for apache manual, images, etc.

 

I tryed to create the directory in my web root. -> not help.

I put .htaccess / index.html file in above cataloge. -> not help.

I tryed to block directory by <Directory> directive. -> not help.

 

I belive i have to get my host to turn off, but as it is only for testing i would check if there was any other solution.

Share this post


Link to post
Share on other sites

 

 

 

Are you saying your server is giving public access below your root or public_html folder if so, that is not normal & is an issue your host must address.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Are you saying your server is giving public access below your root or public_html folder if so, that is not normal

Actually it is normal. A default apache installation has alias' to manual pages and several others. However, they should by default allow access only to a local ip addresses. In a shared hosting environment your host may make these pages available to customers by opening up those pages to outside addresses. But Spooks is right, it is an issue only your host can resolve. The question is, will they?


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

The other question is, do you really need to? For a true PCI scan you have to reveal ALL hostnames that the server answers to. You are not likely going to be able to do that and therefore a true PCI scan is not going to be able to be initiated by you.

 

I would simply ignore the default apache folder issues that it finds.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

I am ignoring it as i dont need any true PCI scan as there is no CC on site only through Paypal.

 

Just curius if there where any thing thats can be done on my side. It's more that it could be fun to get the scan complete with no errors. :D

Share this post


Link to post
Share on other sites

×