Display All File And Folder
This php code is used to display all files and folders in current directory. this code is used to web hosting projects
What is Directory Listing?
Directory listing is a feature that when enabled the web servers list the content of a directory when there is no index file (e.g. index.php or index.html) present. Therefore if a request is made to a directory on which directory listing is enabled, and there is no index file such as index.php or index.asp, even if there are files from a web application, the web server sends a directory listing as a response. When this happens there is an information leakage issue, and the attackers can use such information to craft other attacks, including direct impact vulnerabilities such as XSS.
As you can see from the picture above, the directory listing feature generates an output similar to the 'dir' or 'ls' command that is run on an operating system. Directory listing issues are the type of issues that a SSL certificate won't protect you from. However the good news is that these types of issues can be easily identified with an automated web vulnerability scanner.
What Information is Leaked & What are the Risks of Directory Listing?
Let’s assume that a backup copy of the file config.php, in which the credentials for a database connection are kept in, is in the secret folder, which has directory listing enabled.
If the attacker finds the secret folder by crawling or fuzzing, when he tries to access it directly, e.g. http://www.example.com/secret/ he can see and download the backup files, which contains the database connection details. Now the attacker has the connection details to the web application’s database, allowing him to possibly damage the database or the web application thanks to these credentials.
How to Disable Directory Listing?
As a security best practice it is recommended to disable directory listing. You can disable directory listing by creating an empty index file (index.php, index.html or any other extension your web server is configured to parse) in the relevant directory. Though in many cases this is not the best solution because such files are typically forgotten for example when migrating the web application from development to production environments, or when new directories are added.
So you should implement a permanent and secure solution by disabling directory listing at web server level, as explained in this article.
Disabling Directory Listing For Some Web Servers
Disabling Directory Listing on Tomcat Server
In Tomcat 5.0 directory listing is disabled by default. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes. We can configure directory listing in two different dimensions: The first one will affect all our web projects and the second one will only affect a specified website.
Disabling Directory Listing in All Web Projects
To disable directory listing on the Tomcat web server, open the conf/web.xml file in the directory where Tomcat is installed. In our test on Windows 10, the default installation directory was “C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0”
default
org.apache.catalina.servlets.DefaultServlet
debug
0
listings
false
1
Find the listing part of the value in the tag. As you can imagine, is the determining factor for us in this section. If this field is true and you want to disable directory listing, change this field to false.
You can directly copy and modify the following code:
default
org.apache.catalina.servlets.DefaultServlet
debug
0
listings
false
1
Disabling Directory Listing in a Web Project
In the first method, we conofigured a general setting that applies to all the web projects running on the server. In this method, we will configure it so that it only affects the website we changed. Open the web.xml file for the relevant web project and add the following code:
DefaultServletOverride
org.apache.catalina.servlets.DefaultServlet
debug
0
listings
false
1
DefaultServletOverride
/
DefaultServletOverride
org.apache.catalina.servlets.DefaultServlet
debug
0
listings
false
1
DefaultServletOverride
/
The default servlet was overridden with the above change. Now, the website we made this change on will run independently of the setting we configured in the first method.
Disabling Directory Listing on Nginx Server
The directory listing feature on Nginx is controlled by the ngx_http_index_module. Directory listing is disabled by default on the Nginx configuration file. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes.
The Nginx parameter, autoindex, is used together with the location segment to enable or disable the directory listing feature.
How Can We Disable It?
The default configuration file of a Nginx server is called nginx.conf and can be found in /usr/local/nginx/conf, /etc/nginx or /usr/local/etc/nginx. If the default value has been changed, you can see a setting similar to the following:
server {
listen 80;
server_name domain.com www.domain.com;
access_log /var/...........................;
root /path/to/root;
location / {
index index.php index.html index.htm;
}
location /somedir {
autoindex on;
}
}
In this section, the determinant parameter is autoindex on; as we mentioned above. In the above example, the directory listing is configured only for the somedir directory. If no directory is specified (e.g. location / {autoindex on;}), the rule will be applied to all the folders. To disable directory listing, we need to switch the value of the autoindex to off. Do not forget to run the below command in order for changes to go into effect:
service nginx restart
Disabling Directory Listing on LiteSpeed Server
Similar to all other web servers we've covered so far, on the LiteSpeed web server you can disable directory listing at both web server and website level. To disable directory listing at the server level, you can manually update the httpd_config.xml file. On the other hand, you can also do it by using LiteSpeed server control panel.
httpd_config.xml file:
As you can see from the code example in the screenshot above, if you want to disable directory listing at the server level, add the following line to the httpd_config.xml file:
0
vhconf.xml:
If you want to enable or disable the directory listing at website level you need to follow the /VIRTUAL_HOST_ADI/conf/vhconf.xml path and make the relevant definitions for the file you access.
Disabling Directory Listing on Lighttpd Server
Directory listing is disabled by default on a Lighttpd web server. However, it is possible to disable directory listing from the dirlisting.conf file if it was enabled because of a regression or configuration changes. The configuration file of the mod_dirlisting is /etc/lighttpd/conf.d/dirlisting.conf.
To disable directory listing on the server, you must replace the related line with the following:
dir-listing.activate = “disable”
If you want to enable directory listing for a particular directory, you must make the following changes in the configuration file specifically for that directory:
$HTTP[“url”] =~ “^/download($|/)” {
dir-listing.activate = “enable”
}
Disabling Directory Listing on IIS Server
The directory listing on the IIS web server is disabled by default. However, it is possible to disable directory listing from the configuration interface of IIS web server if it was enabled because of a regression or configuration changes.
For IIS7 and Above
You can disable directory listing from the Directory Browsing settings in the IIS manager console.
Or else you can execute the following command in the command line: appcmd set config /section:directoryBrowse /enabled:false
Disabling Directory Listing on Apache Web Server
In order to disable directory listing on an Apache web server you have to create a .htaccess file in the related application directory. You can add the following lines to the httpd.conf file or replace the existing lines with the following:
Options FollowSymLinks
As you can see from the example code above, you should remove the Indexes and MultiViews statements for the directory listing feature will be disabled safely on an Apache web server.
Need a Website Or Web Application Or Any Help In Code , Contact Us: +91 8778409644 (Whatsapp) or Email: uma@f5craft.com | Visit: www.f5craft.in /.com, Note: Paid Service Only