Why is Directory Browsing on by default for: admin/modules, admin/assets and admin/images?

jgiebler · November 20, 2019, 6:44pm

Hello Community,

We were patching servers yesterday and noticed that directory browsing is available for the below 3 Sub directories of the “Admin” folder without authentication.

https://MyPbxServerAddress/admin/[modules | images | assets]

/var/www/html/admin/modules/
/var/www/html/admin/images/
/var/www/html/admin/assets/

This seems like an unneeded security risk. Is there a reason for this? I found an old forum post from 2013 referencing this same issue but it appears to still exist. (Prevent browsing of FreePBX admin folder sub-directories)

As a quick work around, we executed the below lines of shell code on each server from SSH. They add an .htaccess file to the affected folders to stop allowing directory browsing. I have no idea if the .htaccess files will stay post whatever future updates.

echo "Options -Indexes" >> /var/www/html/admin/modules/.htaccess
echo "Options -Indexes" >> /var/www/html/admin/images/.htaccess
echo "Options -Indexes" >> /var/www/html/admin/assets/.htaccess

Hoping someone out there knows why these are left browse-able… especially without authentication.
Thank you

jfinstrom · November 20, 2019, 6:54pm

I assume you are on the distro.
Modules could be an issue but there is no risk security or other wise for assets or images

jgiebler · November 20, 2019, 7:07pm

Hello @jfinstrom

Yes. We are using the Distro Version available from: FreePBX Distro Download Links

lgaetz · November 20, 2019, 8:52pm

@jgiebler this is something that could be handled better, but I don’t see any security issue. Please open a ticket at https://issues.freepbx.org/

system · November 27, 2019, 8:52pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.