Security breach by using apache Options +Indexes ?

[jordipalet]

I've upgraded my hosting to apache 2.4.7, and when editing the .conf file, I realized that the default prestashop configuration requires:

 

    <Directory "/your_dir">
        Require all granted
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

 

This means that if you then try to list a directory within PS (I'm using 1.5.4.1) such as:

 

http://www.your_site.com/modules

 

I get the dir listing.

 

I think this is not good from a security perspective.

 

Could I use:         Options -Indexes +FollowSymLinks

 

Or PS really needs Indexes on ?

 

Other alternatives/suggestions ?

 

[Richard S]

There's index.php for this.
Usually using default hosting configuration you will never see catalog listing

[jordipalet]

There's index.php for this.

Usually using default hosting configuration you will never see catalog listing

I tried in a couple of hostings and same problem in both of them, so I don't think this is part of the default configuration.

 

You mean create an empty index.php in every folder ? I guess if this is the case, then PS should do it in the default installation.

 

I think it may be easier -Indexes, unless PS need +Indexes, anyone can confirm that ?

 

Thanks !

[bellini13]

Prestahop includes an index.php file in each directory already.  However this assumes that you have configured your web server software to use index.php as the default page, which you have not shown if you did or not

[jordipalet]

Prestahop includes an index.php file in each directory already.  However this assumes that you have configured your web server software to use index.php as the default page, which you have not shown if you did or not

Yes, y server is configured for index.php.

 

I did a quick check and it seems that modules and other folders/subfolders, don't have a index.php

 

Should I check one by one and then create an empty index.php ?

 

It will be easier and more secure with -Indexes, but not sure if PS needs +Indexes, somebody can tell ?

[bellini13]

if they are missing, then just copy the index.php from the root of the store to those folders

[jordipalet]

The problem I see with this approach is that many /modules subfolders have the same problem, no index.php.

 

So the question is still the same ... really PS needs +Indexes ?

[PrestaHeroes USA]

Hi, it would be best for this issue to be presented to PrestaShop developers using forge.

 

Please open a 'bug' report here.

 

then please post back here the link to the forge report so others can follow, comment, and vote up.

[jordipalet]

Hi, it would be best for this issue to be presented to PrestaShop developers using forge.

 

Please open a 'bug' report here.

 

then please post back here the link to the forge report so others can follow, comment, and vote up.

Done: http://forge.prestashop.com/browse/PSCFV-12682

[jordipalet]

Hi, it would be best for this issue to be presented to PrestaShop developers using forge.

 

Please open a 'bug' report here.

 

then please post back here the link to the forge report so others can follow, comment, and vote up.

Developers confirmed in forge that PS doesn't need +Indexes, so I'm going to use -Indexes, which I think is the right thing to do in most of the sites generally.