| VID |
22081 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
By making a request to the Apache web server ending in '?M=A' or '?S=D', it is possible to obtain a directory listing even if an index.html file is present.
The AutoIndex module for Apache provides automatic indexing of directories within the webroot. Some administrators may rely on the presence of an 'index.html' to ensure that the actual contents of the directory will not be disclosed. There exists a possible vulnerability in this module that can allow for disclosure of directory contents despite the presence of an 'index.html'. Exploitation of this vulnerability may disclose sensitive information to attackers, especially if 'index.html' is relied upon for preventing this.
The following index parameters will cause directory contents to be disclosed:
http://target-webserver/?M=A
http://target-webserver/?S=D |
| Recommendation |
A workaround is to disable the module or remove the index options from the Apache configuration file, httpd.conf. |
| Related URL |
CVE-2001-0731 (CVE) |
| Related URL |
3009 (SecurityFocus) |
| Related URL |
8275 (ISS) |
|
