Page 1 of 1
Admin authentication question
Posted: Mon Nov 26, 2007 7:09 pm
by rick.whittington
I'm working on a web site for a medical company, and because of HIPAA laws, they require their sites to be super-secure (understandably). Their system tech noticed that if they key in a URL in the admin area (for example,
www.site.com/admin/themes/default/includes/) they directory listing is displayed, which is a security no-no.
I'm on a Windows server running PHP 4.4.1 and mySql database.
Are there any fixes for this or ways to prevent this?
Re: Admin authentication question
Posted: Mon Nov 26, 2007 7:17 pm
by RonnyK
Rick,
do you see that behaviour within CMSMS? As I dont get any listing anywhere!
I'm no dev, but I think that by having an index.htm file in every folder already makes sure that no listing is done, but the file is shown instead. Also some other logic should be possible, but as said, others can tell better.
Ronny
Re: Admin authentication question
Posted: Mon Nov 26, 2007 7:36 pm
by rick.whittington
Good point Ronny -- I should have thought about putting an index.htm file in each directory. Thanks for the help!
Re: Admin authentication question
Posted: Mon Nov 26, 2007 8:23 pm
by ericob
If your client want's their web site "secure," I'd think one of the first thing's they would do is configure the web server to NOT display directory listings. I'll bet that there are other directories on the server (not part of cmsms) that do not have an index file in them and that if you entered the path to any of those directories you'd see a directory listing too!
Surely IICS has a setting for this.
For fun, you could try to find some of these and point out to the "system tech" that it appears the
web server is misconfigured.
[Or, maybe that
wouldn't be fun... use your own judgement.]
Re: Admin authentication question
Posted: Mon Nov 26, 2007 9:24 pm
by tsw
or maybe switch to linux server
