From APACHE 2.2 Site for UNIX Security Technical Implementation Guide
Part of WG170
The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure that the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.
To view the DocumentRoot value enter the following command: awk '{print $1,$2,$3}' /usr/local/apache2/conf/httpd.conf|grep -i DocumentRoot|grep -v '^#' Note each location following the DocumentRoot string, this is the configured path(s) to the document root directory(s). To view a list of the directories and sub-directories and the file index.html, from each stated DocumentRoot location enter the following commands: find . -type d find . -type f -name index.html Review the results for each document root directory and it's subdirectories. If a directory does not contain an index.html or equivalent default document, this is a finding.
Add a default document to the applicable directories.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer