Admin authentication question

[rick.whittington]

I'm working on a web site for a medical company, and because of HIPAA laws, they require their sites to be super-secure (understandably).  Their system tech noticed that if they key in a URL in the admin area (for example, www.site.com/admin/themes/default/includes/) they directory listing is displayed, which is a security no-no.

I'm on a Windows server running PHP 4.4.1 and mySql database.

Are there any fixes for this or ways to prevent this?

[RonnyK]

Rick,

do you see that behaviour within CMSMS? As I dont get any listing anywhere!

I'm no dev, but I think that by having an index.htm file in every folder already makes sure that no listing is done, but the file is shown instead. Also some other logic should be possible, but as said, others can tell better.

Ronny

[rick.whittington]

Good point Ronny -- I should have thought about putting an index.htm file in each directory.  Thanks for the help!

[ericob]

If your client want's their web site "secure," I'd think one of the first thing's they would do is configure the web server to NOT display directory listings.  I'll bet that there are other directories on the server (not part of cmsms) that do not have an index file in them and that if you entered the path to any of those directories you'd see a directory listing too!

Surely IICS has a setting for this.

For fun, you could try to find some of these and point out to the "system tech" that it appears the web server is misconfigured.    [Or, maybe that wouldn't be fun... use your own judgement.]

[tsw]

or maybe switch to linux server