Hi all,

How hard (or easy) is it for a site visitor to discover the filenames of
files in directory that has 'Directory browsing' disabled?

I have a contractor who is planning to do this with some files on our site
and need some advice.

On Mar 17, 9:38=A0pm, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
[quoted text, click to view]


The correct way to handle "discovery" of filenames that should not be
discovery is either:
1. Enable Authentication
2. Do NOT put those files in a web-accessible directory

The whole purpose of putting files in a web-accessible directory is to
make them available, and HTTP has no provision to control their
access. Thus, your only choices for access control is to either enable
authentication to authorize who can view such files, or don't even
make them available at all.

You *could* use IIsWebFile to deny IIS Read access to the resource,
but then anytime you rename the resource, you must modify the
IIsWebFile's name. Plus, the file is still accessible in the web-
directory, so if you have exploitable script code it can be easily
bypassed to view contents of your web-directory.

As soon as you make them available in the web-directory, want to
secure them, but don't want to enable the built-in Authentication,
then you will have to write your own authentication/authorization
system, which everyone loves to do but no one gets it right. Whenever
you roll your own authenication/authorization system, consider it a
security vulnerability and exploit waiting to happen.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang

Well, people can simply guess the filenames I suppose.

If you don't want people being able to access files they shouldn't have
access to, then you should implement an authentication/authorization system,
rather than providing anonymous access.

Cheers
Ken

[quoted text, click to view]