PDA

View Full Version : Parent directory visible to all



Daffodil
06-12-2006, 01:22 AM
I just realized, after 4 years, that for some reason, my parent directories at every level give away their content when their path is typed in the address bar! Therefore anyone knowing how to find the differant levels of directories (right-click, properties, url) can actually access any file in that directory, including those protected by a password protected portal :(

What can I do to avoid that?

If someone types

http://host.mydomain.com/assets

right now they get a page with the list of everything that is in the folder "assets" (directory)!

I want an error page to show up not my entire life LOL:eek:

That makes me think.... My hosting service gives me the option to point to a specific file for 404 errors. I created a 404.htm page and put it in

www.mydomaine.com/404.htm.

Than I typed 404.htm as the file to point to in the domain admin panel. But it never shows up just the generic browser 404. Am I doing something wrong?

:cool:

djr33
06-12-2006, 07:47 AM
I can't answer about your specific host, but you could use a .htaccess method to disable viewing of your directories.
If you don't want to deal with .htaccess, though, or can't if you host blocks it...
you could just put a page in the root of all the directories. You should always have a page there, anyway, as people might get lost if you don't.
If you don't want a full page, you could even just use:
<html>
<head>
<meta http-equiv="refresh" content="0;url=page.htm">
</head>
</html>

Now... just change page.htm to your choice of your error page or your 404 page.
The 0 means right away... 5 would be wait 5 seconds.
this will send the user to the page of your choice.
Even if it doesn't work, it will stop them from just viewing the directory by having something, anything, there.
(Not sure if in this simple a page you need body tags, but couldn't hurt to add them, I guess.)

Twey
06-12-2006, 05:07 PM
You don't need to. Remove "read" permission (4) from the directories, but leave "execute" (1). That will allow users to access the files inside the directory, but will deny them access to the directory listing.

djr33
06-12-2006, 08:24 PM
If the host allows that :)

Twey
06-12-2006, 08:30 PM
Oh, and also:
Than I typed 404.htm as the file to point to in the domain admin panel. But it never shows up just the generic browser 404. Am I doing something wrong?IE requires that your error page be a certain length, or it won't display it. I think it's 256 bytes.

BLiZZaRD
06-13-2006, 03:21 PM
You could always just add a blank index.html page in that directory.

With an index.html page you don't need to type in the index.html in the URL, as the directory will defualt to it.

so

http://host.myspace.com/

is the same thing as typing

http://host.myspace.com/index.html

They will both show in the index page and nothing else.

You can put links on your index page to direct them to certain pages/files... or just leave it blank.

~BLiZZ

Daffodil
06-14-2006, 12:25 AM
Thank you guys this is very helpful!!!!

I asked the host but can't control permission myself he suggested the index files or the .htaccess.

So off to try your suggestions !!!!!

BLiZZaRD
06-14-2006, 01:26 AM
Good Luck!

It is all rather simple once you are in the know ;)

~BLiZZ