Feature #3085
closedMake dir listing error from 403 to 404 (or configureable over Config file)
Description
Due to some security issues detected by Nexus Scan, it would be good if the directories which are not allowed to be listed return 404 instead of 403.
Because 403 lets the attacker assume the structure of the system, while 404 leaves him in the dark.
So for example calling an existing directory:
mydomain.com/secret/
shall return 404 instead of 403
If the directory really does not exists a 404 is returned which is correct.
Updated by gstrauss almost 3 years ago
- Status changed from New to Invalid
Due to some security issues detected by Nexus Scan, it would be good if the directories which are not allowed to be listed return 404 instead of 403.
No details provided to back up your statements. No references.
Therefore, your statement is not credible. "it would be good if" is a laughable and unsubstantiated statement from you.
Also, if you review your post history on this site, you tend to post before reading documentation: Docs_ConfigurationOptions
lighttpd provides at least four different ways for you to control how errors documents are served.server.error-handlerserver.error-handler-404
mod_magnet magnet.attract-response-start-to
You can also configure lighttpd.conf to deactivate mod_dirlisting for forbidden dirs, or to enable mod_dirlisting only for allowed dirs.
In some situations -- I don't know yours specifically -- you can keep restricted material outside of the web document root, and can use mod_alias (only if needed) to allow specific access to directory trees outside the web document root.
I henceforth intend to immediately Invalidate any of your posts to the lighttpd issue tracker. Please post in the "Forums" (see tab at top of page), and only after you have tried to find some solution(s) by reading the documentation.
Also available in: Atom