Apache Virtual Host Security Problem
I have a apache server running a site that authenticates with login.php
Basicaly it allows to edit the address and jump to folder browsing!
Problem:
http://10.10.10.1/wwwroot/QA/acceso/...so%2Findex.php
That brings up the login.php page
But I can easly avoid it by typing:
http://10.10.10.1/wwwroot/QA
Now I can BROWSE ALL FOLDERS!!!
I must fix this security problem.Please help me out.
My apache2 is using virtual hosts and I got the default config like this:
*editCode:NameVirtualHost * <VirtualHost *> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> # Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # Uncomment this directive is you want to see apache2's # default start page (in /apache2-default) when you go to / #RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel notice CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>
I just saw that under /var/www/index.php redirects to
/wwwroot/QA/acceso/login.php
Shuold I be using Directory Alias ?
How can I deny folder browsing, without messing with the application?
The problem I see is that if I define Document root to
the location of login.php the other files are in a folder under...
ex:
/wwwroot/QA/acceso/login.php
Files locations
/wwwroot/QA/files/
/wwwroot/QA/morefiles/
hope I was clear enough, any advice is welcome.
Bookmarks