Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
/js exposed with autoindex on, issue? #95
Just noticed that the /js directory can be reached if autoindex is enabled on apache. Obviously that can just be turned off in apache but every other directory has either an empty index.html or code in the index.php to prevent them from being targeted directly. Was /js meant to be left like this?
There is no real reason why it was left like this, although unlike .php files, .js files are always readable anyway, so having them listed isn't much of a security issue. Opening up the debug screen available on any browser these days will show what JS files are loaded, and pointing your browser directly to the file will always show its contents. I guess for consistency we should probably include an empty index.html, but in terms of security (even security by obscurity) it is not really an issue.