Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/js exposed with autoindex on, issue? #95

Closed
SadBaxter opened this issue Oct 3, 2019 · 2 comments

Comments

@SadBaxter
Copy link

commented Oct 3, 2019

Just noticed that the /js directory can be reached if autoindex is enabled on apache. Obviously that can just be turned off in apache but every other directory has either an empty index.html or code in the index.php to prevent them from being targeted directly. Was /js meant to be left like this?

@ajdonnison

This comment has been minimized.

Copy link
Contributor

commented Oct 3, 2019

There is no real reason why it was left like this, although unlike .php files, .js files are always readable anyway, so having them listed isn't much of a security issue. Opening up the debug screen available on any browser these days will show what JS files are loaded, and pointing your browser directly to the file will always show its contents. I guess for consistency we should probably include an empty index.html, but in terms of security (even security by obscurity) it is not really an issue.

@SadBaxter

This comment has been minimized.

Copy link
Author

commented Oct 9, 2019

Okay that's all good then, thank you!

@SadBaxter SadBaxter closed this Oct 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.