Hi,

I'm not exactly sure which section to post this in, because it doesn't fall exactly under any of the categories. Anyways, is there a way for someone to see the contents of the folder "http://www.example.com/examplefolder/" if there already is a "http://www.example.com/examplefolder/index.html"?

Thanks.

It should not, but it depends of the web server.
But, the default behavior (of the web servers) is usually to display index.[htm|html|php|asp|aspx] if it exists.
And to display a list of the files if this is enabled.
If the listing is disabled, the user receives an "access denied" page

Thanks tripy.

What if the listing was enabled, and someone wanted to see the contents of /examplefolder/? Is there a possible way to do so, even if index.html is present? I guess bypassing index.html to view the file listing?

No, it should not be possible, at least, not with apache.

As said previously, if there is an index.[valid extension] file in the folder, the contents aren't displayed. There is no way to see them.

If you want to hide the contents of a folder, but don't want to add an index.html file, you can use .htaccess if your web host has it enabled. I actually wrote up a post about this a month or so ago.

http://www.itsananderson.com/2008/12...-security-tip/

Check it out if that's what you're trying to do.

How would one go about displaying the contents of a folder which doesn't have an index.xxx file?

why would you want to make that info public?

Quote:

Originally Posted by magicvw

How would one go about displaying the contents of a folder which doesn't have an index.xxx file?

Normally it will all show itself. But if the host is denying it, you could create an index.xxx file with some code like this:

PHP Code:

<?php
function list_files($dir)
{
  if(is_dir($dir))
  {
    if($handle = opendir($dir))
    {
      while(($file = readdir($handle)) !== false)
      {
        if($file != "." && $file != ".." && $file != "Thumbs.db"/*pesky windows, images..*/)
        {
          echo '<a target="_blank" href="'.$dir.$file.'">'.$file.'</a><br>'."\n";
        }
      }
      closedir($handle);
    }
  }
}
?>
<?php list_files("/directoryyouwanttolist/"); ?>

- Steve

Sorry, I didn't explain what I meant!

I don't want to show anyone the full contents of a directory. I have some directories which I don't want other people to be able to see the full contents of - all the files have very obscure names but I don't want them password protected. If someone wanted to try to find out what the contents of the directory is, how would they go about it?

Quote:

If someone wanted to try to find out what the contents of the directory is, how would they go about it?

If you link to the files anywhere on your site, very easily. They just go back up the directory tree.

If your server allows directory browsing, up will pop a list of files and folders.

Quote:

Originally Posted by chrishirst

If you link to the files anywhere on your site, very easily. They just go back up the directory tree.

If your server allows directory browsing, up will pop a list of files and folders.

I don't link to them - i send people to them via paypal's redirect after purchase whatsit.

How do I find out if the server allows directory browsing? (it's not my server)

Quote:

How do I find out if the server allows directory browsing?

Type the folder URI into a browser.

Quote:

Originally Posted by chrishirst

Type the folder URI into a browser.

I get

Forbidden

You don't have permission to access /xxxxxxx/xxx/ on this server.



But how safe is it?

It's either forbidden because the function is not activated, your ip address is in a black list, or you didn't provided a valid username/pasword to the server.

Either case, this cannot be avoided.
It's as safe as the web server program is safe, but given the coverage of apache, I'd say you don't risk too much trusting it.

Options -Indexes in .htaccess.

Quote:

Originally Posted by tripy

It's either forbidden because the function is not activated, your ip address is in a black list, or you didn't provided a valid username/pasword to the server.

Either case, this cannot be avoided.
It's as safe as the web server program is safe, but given the coverage of apache, I'd say you don't risk too much trusting it.

Well it must be the first one, so that's good. Not that I stand to lose very much as I'm not exactly hot property, but it's nice to know. Thanks!

Quote:

Originally Posted by magicvw

I get

Forbidden

You don't have permission to access /xxxxxxx/xxx/ on this server.



But how safe is it?

Security by Obscurity.

If they can't see it they can't steal it