We were patching servers yesterday and noticed that directory browsing is available for the below 3 Sub directories of the “Admin” folder without authentication.
https://MyPbxServerAddress/admin/[modules | images | assets]
/var/www/html/admin/modules/ /var/www/html/admin/images/ /var/www/html/admin/assets/
This seems like an unneeded security risk. Is there a reason for this? I found an old forum post from 2013 referencing this same issue but it appears to still exist. (Prevent browsing of FreePBX admin folder sub-directories)
As a quick work around, we executed the below lines of shell code on each server from SSH. They add an .htaccess file to the affected folders to stop allowing directory browsing. I have no idea if the .htaccess files will stay post whatever future updates.
echo "Options -Indexes" >> /var/www/html/admin/modules/.htaccess echo "Options -Indexes" >> /var/www/html/admin/images/.htaccess echo "Options -Indexes" >> /var/www/html/admin/assets/.htaccess
Hoping someone out there knows why these are left browse-able… especially without authentication.