It’s more of a question for techies I’m sure, but sometimes if you type in a url that doesn’t contain a .html file, it simply brings up a directory listing of all the files and folders located at that url. Is there any way of doing this at the main url location, rather then have the web page come up?
No. If the person who built the site put an index file there, then you will not get a directory listing.
Furthermore, it’s considered bad practice to allow viewing of files on a website. It’s becoming rare to find pages that do it.
Web servers define a default filename that will be used if you supply only a path. On most Unix server, this is index.html. On Microsoft IIS, it is default.htm. In any case, the admin can reset the default name to whatever they like.
On some servers, if you supply a URL with no filename and the default filename is not present, the server will provide a directory listing for the specified path. This is desirable for some FTP-type file transfer functions, but it is generally not good for a webserver because it subverts the intended navigation built into the website. For that reason, most webservers are configured to return an HTTP error code if the default file is missing (I believe 403-Forbidden is typical).
It is commonly argued that providing the directory listing is a security problem, but I submit that no non-public files should be on the server anyway, and a cracker can learn very little from the file structure that they don’t already know. The main reason to turn off this functionality is that it’s rude to your users to suddenly dump them in a file list with no indication of where they should go.
Royal, for unix-like systems, it is relatively easy to prevent most users from getting out of the initial directory tree. I’m don’t know windows well but I’m sure recent relaeases have similar functionality. Any attempts to break out of the initial directory tree would require hacking and would be illegal and I strongly discourage that sort of thing. If you’re asking for that kind of information, I’m quite sure the mods won’t allow it to be discussed on this board.
This doesn’t mean there aren’t ways, only that you shouldn’t try them and we shouldn’t be telling you how. Any systems that are configured badly enough to let you out of the initial tree should be corrected because they are security problems.
If you’re setting up a web server for yourself and want to make sure it’s secure, there are lots of resources available. Look in the network security section of any decent bookstore for security on the OS of your choice. Try sites like http://www.sans.org . This should get you started.
I’m not trying to hack in to anything, just a few mates and I are fiddling with a new server we set up and as has been discussed, we want to learn more about security issues. Thanks for the inputs.