Why is Directory Browsing on by default for: admin/modules, admin/assets and admin/images?

freepbx
configuration
Tags: #<Tag:0x00007fafc460bb68> #<Tag:0x00007fafc460b9d8>

#1

Hello Community,

We were patching servers yesterday and noticed that directory browsing is available for the below 3 Sub directories of the “Admin” folder without authentication.

https://MyPbxServerAddress/admin/[modules | images | assets]

/var/www/html/admin/modules/
/var/www/html/admin/images/
/var/www/html/admin/assets/

This seems like an unneeded security risk. Is there a reason for this? I found an old forum post from 2013 referencing this same issue but it appears to still exist. (Prevent browsing of FreePBX admin folder sub-directories)

As a quick work around, we executed the below lines of shell code on each server from SSH. They add an .htaccess file to the affected folders to stop allowing directory browsing. I have no idea if the .htaccess files will stay post whatever future updates.

echo "Options -Indexes" >> /var/www/html/admin/modules/.htaccess
echo "Options -Indexes" >> /var/www/html/admin/images/.htaccess
echo "Options -Indexes" >> /var/www/html/admin/assets/.htaccess

Hoping someone out there knows why these are left browse-able… especially without authentication.
Thank you


(TheJames) #2

I assume you are on the distro.
Modules could be an issue but there is no risk security or other wise for assets or images


#3

Hello @jfinstrom

Yes. We are using the Distro Version available from: FreePBX Distro Download Links


(Lorne Gaetz) #4

@jgiebler this is something that could be handled better, but I don’t see any security issue. Please open a ticket at https://issues.freepbx.org/


(system) closed #5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.