The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

who's responsible to disable directory listing developer or server provider

Discussion in 'Security' started by webtalk, Mar 14, 2012.

  1. webtalk

    webtalk Registered

    Joined:
    Mar 14, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    As by default all cpanel accounts directory listing is enabled?

    who's responsible to disable directory listing developer or server provider.

    what do you say?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: who's responsible to disable directory listing developer or server prov

    Hello,

    The hosting provider should have competent system administrators who are capable of auto disabling this using an .htaccess file in /root/cpanel3-skel/public_html location. The purpose of having a wide variety of tools is knowing how to use those tools and making decisions on what features should and should not be enabled on your machine.

    If you truly would like to see this option disabled by default, please feel free to post a feature request:

    Feature Requests for cPanel/WHM

    Thanks!
     
  3. webtalk

    webtalk Registered

    Joined:
    Mar 14, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Re: who's responsible to disable directory listing developer or server prov

    if developer is given full access and has control to install upload the code himself, shouldn't it be his responsibility to protect his application and code and not left it for sys admins to disable and everything for him? can't developers override the indexes in .htacess even if it is disabled by sys admisas usually developers are facilitated by .htaccess to control the code. can a decent developer leave his code unsecure with no index in document root or zip files in docurment root with no index?
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: who's responsible to disable directory listing developer or server prov

    I'm really uncertain how this is providing much of a security risk beyond the ability to see files. PHP and other coding cannot be directly viewed in a browser since the code itself doesn't output to a browser even when clicking on the file. What precisely is the issue here?
     
  5. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Re: who's responsible to disable directory listing developer or server prov

    hope this helps too:
    Apache Tips & Tricks: Disable directory indexes | MDLog:/sysadmin

    we have been following a policy that any content within the users hosting account is solely the responsibility of the user and has to be taken care of by the user too. This helps to pinpoint the responsibility in case of a cyber crime.

    However, from a sys admins perspective, as Tristan said, the risk is very minimal and disabling indexes does not offer much protection, since only the visibility of the files is restricted. the files may still be accessed through a direct URL.
     

Share This Page