Project

General

Profile

Actions

Feature #3085

closed

Make dir listing error from 403 to 404 (or configureable over Config file)

Added by Anonymous 12 days ago. Updated 12 days ago.

Status:
Invalid
Priority:
Normal
Category:
-
Target version:
ASK QUESTIONS IN Forums:
No

Description

Due to some security issues detected by Nexus Scan, it would be good if the directories which are not allowed to be listed return 404 instead of 403.

Because 403 lets the attacker assume the structure of the system, while 404 leaves him in the dark.

So for example calling an existing directory:

mydomain.com/secret/

shall return 404 instead of 403

If the directory really does not exists a 404 is returned which is correct.

Actions #1

Updated by gstrauss 12 days ago

  • Status changed from New to Invalid

Due to some security issues detected by Nexus Scan, it would be good if the directories which are not allowed to be listed return 404 instead of 403.

No details provided to back up your statements. No references.
Therefore, your statement is not credible. "it would be good if" is a laughable and unsubstantiated statement from you.

Also, if you review your post history on this site, you tend to post before reading documentation: Docs_ConfigurationOptions

lighttpd provides at least four different ways for you to control how errors documents are served.
server.error-handler
server.error-handler-404
mod_magnet magnet.attract-response-start-to
You can also configure lighttpd.conf to deactivate mod_dirlisting for forbidden dirs, or to enable mod_dirlisting only for allowed dirs.
In some situations -- I don't know yours specifically -- you can keep restricted material outside of the web document root, and can use mod_alias (only if needed) to allow specific access to directory trees outside the web document root.

I henceforth intend to immediately Invalidate any of your posts to the lighttpd issue tracker. Please post in the "Forums" (see tab at top of page), and only after you have tried to find some solution(s) by reading the documentation.

Actions

Also available in: Atom