Why Is Directory Listing Dangerous?

Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. It is dangerous to leave this function turned on for the web server because it leads to information disclosure.

For example, when a user requests www.acunetix.com without specifying a file (such as index.html, index.php, or default.asp), the web server processes this request, returns the index file for that directory, and the browser displays the website. However, if the index file did not exist and if directory listing was turned on, the web server would return the contents of the directory instead.

Many webmasters follow security through obscurity. They assume that if there are no links to files in a directory, nobody can access them. This is not true. Many web vulnerability scanners such as Acunetix easily discover such directories and all files if directory listing is turned on. This means that black hat hackers can also find such files easily. This is why directory listing should never be turned on, especially in the case of dynamic websites and web applications, including WordPress sites.

Directory Browsing Without Directory Listing

Even if directory listing is disabled on a web server, attackers might discover and exploit web server vulnerabilities that let them perform directory browsing. For example, there was an old Apache Tomcat vulnerability, where improper handling of null bytes (%00) and backslash (\) made it prone to directory listing attacks.

Attackers might also discover directory indexes using cached or historical data contained in online databases. For example, Google’s cache database might contain historical data for a target, which previously had directory listing enabled. Such data allows the attacker to gain the information needed without having to exploit vulnerabilities.

Directory Listing Example

A user makes a website request to www.vulnweb.com/admin/. The response from the server includes the directory content of the directory admin, as seen in the below screenshot.

From the above directory listing, you can see that in the admin directory there is a sub-directory called backup, which might include enough information for an attacker to craft an attack.

The attacker can display the whole list of files in the backup directory. This directory includes sensitive files such as password files, database files, FTP logs, and PHP scripts. It is obvious that this information was not intended for public view.

Misconfiguration of the web server has led to file list disclosure and the data is publicly available. Moreover, files like these, such as FTP logs, might contain other sensitive information such as usernames, IP addresses, and the complete directory structure of the web hosting operating system.

How to Disable Directory Listing

To disable directory listing, you must change your web server configuration. Here is how you can do it for the most popular web servers:

Apache Web Server

You can disable directory listing by setting the Options directive in the Apache httpd.conf file by adding the following line:

<Directory /your/website/directory>Options -Indexes</Directory>

You can also add this directive in your .htaccess files but make sure to turn off directory listing for your entire site, not just for selected directories.

nginx

Directory indexing is disabled by default in nginx so you do not need to configure anything.

However, if it was turned on before, you can turn it off by opening the nginx.conf configuration file and changing autoindex on to autoindex off.

https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/?fbclid=IwAR02olQfq5_lEt_2KHBRPgXK9LFsWhRCzfNfL0Al7NYzN-dbRxo_uQiMws4

Zero Trust is a popular concept in cybersecurity. It initially referred to enterprise security teams who built processes that removed all trust from end-users. 

This is a valid approach. I, for example, like to run companies that do not mind if employees click on bad links. We understand it will be impossible to avoid, so we prepare for the inevitable — and have zero trust that there will be perfect behavior from our employees.

But when the “trust balloon” is squeezed to remove trust from end-users, then where does it go? There are two possible recipients: enterprise security organizations and the software that enterprises purchase. 

Given that security organizations are ubiquitously understaffed and overwhelmed, market forces have stepped in to squeeze the trust balloon once more. Trust has been eliminated from the end-user and delegated by understaffed enterprise security organizations to big service providers and software companies. We trust Big Tech — Google, Facebook, Amazon, Microsoft, Slack, and Zoom — to be the stewards of our most critical data. We have given our trust to an industry built upon speed and risk acceptance that has no liability other than market forces.

Where shifting trust models go wrong 

While it may seem a reasonable solution to trust Big Tech with your data, you need to first be clear about one thing — these companies are primarily interested in growing their market share, not security. For example, Zappos is okay with some level of fraud, Microsoft Teams is okay with occasional remote code execution, and SolarWinds was more profitable if they did not keep tabs on their software build processes. In these cases. data security and privacy were decoupled from profitability and valuation. Low quality and high risk were acceptable outcomes in pursuit of high valuations and executive wealth creation.

But the Department of Justice cannot operate in a similar risk model. It is not okay for Russia to have unfettered access to DOJ email and the Office of Personnel Management cannot be okay with the occasional breach giving China’s intelligence agency access to the personnel files of 22 million government employees. It’s obvious that our national security interests are not supported by the use of vulnerable software. And yet, the national security apparatus is reliant upon technology that prioritizes profitability and valuation above all else.

The effect of market forces on security

Market forces have dictated that a move fast and break things mentality is the most reliable way to achieve the highest possible market share and valuation. For a tech CEO, the longest path to billionaire status has been developing secure, well-engineered products. Our shifting trust models have placed the responsibility for data security at the feet of the decision-makers with the least incentive to build secure software. 

I don’t mean to suggest that the billionaire CEOs of the world’s largest software companies are naturally inclined to abuse privacy and data — rather, they are profit-motivated geniuses who are naturally inclined to compete and win within the regulatory swim lanes given to them. 

The importance of liability

The Clinton administration gave the U.S. technology industry a get out of jail free card with the Telecommunications Act of 1996. As a result, Silicon Valley dominated — innovation grew and stayed in the U.S. Moving fast and breaking things was the right approach. No certifications, no permitting, no consequence for security or privacy issues. Now is the time to examine liability and put CFOs and CEOs on the hook for dodgy engineering. 

In 2013, HTC shipped 18 million vulnerable mobile devices and was fined by the Federal Trade Commission (FTC). In 2019, Google received a record $57M fine by the EU for privacy violations and in the same year, Facebook was hit with a record $5B fine for their privacy infractions. Just last December, Noah Phillips, a member of the FTC, testified to the Senate Committee on Commerce, Science, and Transportation that the FTC’s consumer privacy-enforcement actions against Facebook, TikTok, YouTube, Zoom, and other companies had already had a “greater impact than any others in the world.” This can be viewed by the layperson as progress and directionally correct.

The sad reality is that these fines are so inconsequential that they actually promote recklessness. Google generates almost $370 million per day from ads.  A “record” $57M fine is not a speed bump — it is an invitation to hit the gas. More than ever, market forces are signaling to the technology industry that ignoring security is their most profitable strategy. Enter the conga line of security vulnerabilities and breaches in 2020.

This is just a sampling of the security incidents in the past year that were most emblematic of poorly engineered software that impacted large enterprises and national security:

• Microsoft, January 22

• Walgreens, March 2

• T-Mobile, March 5

• Unnamed U.K-Based Security Firm, March 19

• General Electric, March 24

• Zoom, April 14

• Facebook, April 21

• Small Business Administration, April 27

• GoDaddy, May 4

• U.S. Marshals, May 13

• Cognizant, June 17

• BlueLeaks, June 22

• Twitter, June 23

• Instagram, TikTok, & YouTube, August 20

• Fragomen, Del Rey, Bernsen & Loewy (Google), October 27

• Microsoft, December 8

• FireEye/SolarWinds/DOJ/et al, December 8
  

There are talented security minds employed at most large software companies, but their functions are starved and underserved. They will remain so unless regulators become serious about enforcement. Fines should be increased to levels that have a material impact. Sticks can be motivating, but carrots work too. Balance sheets should be audited and investment in security engineering increased industry-wide.  Software vulnerabilities and data breaches should trigger mandatory oversight and increases in security budgets.

Related: 5 Key Security Considerations For Securing the Remote Workforce

What can be done?

We should be requiring more from tech companies and creating regulatory frameworks that hold them liable for unacceptable product security. The question facing our industry is NOT whether the breach and response playbook used for building and selling video doorbells should be used by the Pentagon. We know the answer is no. 

We just have to stop lowering our security standards in the name of convenience. The massive costs required to recover from the SolarWinds/Microsoft breach is not an acceptable burden for taxpayers to shoulder. We give all our trust to large technology providers — trillions of dollars of wealth are created in these software companies. It's now time for these companies to own their fair share of liability as well.

PRINCETON, N.J. (Nov. 19, 2020) QBE, a top 20 international insurance provider with 60 branch offices in 27 countries, also operates 6 dedicated data centers in various locations around the world. The ability to ensure 24/7 uptime of the IT infrastructure is pivotal to their business. This means they must always have access to critical IT assets like routers, switches, firewalls, servers, power, storage, and telecom appliances that operate the backbone communication framework.

“As a company, we pride ourselves on strength, resilience, and dependability,” says Andreas Themistocleous, Global Technical Lead Networks at QBE. “This must also be reflected in our network architecture. However, not every branch office has dedicated IT staff on-site to provide support should our network go down. In the event of an outage, we need a way to access our critical infrastructure equipment.”

For this purpose, QBE chose to standardize on Perle IOLAN Console Servers to provide Out-of-Band access to Cisco Switches, Cisco Adaptive Security Appliances (ASA), Palo Alto Firewalls, and Citrix NetScaler Application Delivery Controllers (ADC). They use a combination of 4 and 8 port compact Console Servers in branch office locations, and 16 or 48 port 1U Console Servers ‘top of rack’ in their Data Centers. Because all Perle IOLAN Console Servers share the same software features and functionality, they are an ideal “one-stop-shop” solution that can fit into any environment.

Out-of-Band Management (OOBM) is a solution that provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN. During system or network outages, a Console Server is a single hardware solution that provides secure OOBM to monitor IT assets and devices from multiple vendors. The Console Server gives administrators access to multiple admin console ports from anywhere, anytime, and any platform, as if they were directly connected. They can be used to reconfigure, reboot, and reimage remotely across the internet or WANs. Disruption and downtime are minimized by providing better visibility of the physical environment and the physical status of equipment. This ensures business continuity through improved uptime and efficiencies.

About QBE: – https://www.qbe.com

Founded in 1886, QBE Insurance Group is one of the world's top 20 general insurance and reinsurance companies, with operations in all the key insurance markets. QBE is listed on the Australian Securities Exchange and is headquartered in Sydney. We employ more than 11,700 people in 27 countries.