SecurityFocus

Re: Directory Scanner Feb 07 2012 05:49PM
Thugzclub Thugzclub (thugzclub googlemail com) (3 replies)

Re: Directory Scanner Feb 09 2012 12:36PM
Vedantam Sekhar (vedantamsekhar gmail com)

Re: Directory Scanner Feb 08 2012 09:11AM
Alexander Pick (acpi mac com) (2 replies)

RE: Directory Scanner Feb 13 2012 02:45PM
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com) (1 replies)

Re: Directory Scanner Feb 14 2012 05:50AM
iftikhar (iftikhar aidentech com)

Though not ideal, a partial supplement in this scenario is also checking
the REFERER, can thwart automated tools to a degree

Regards,
Iftikhar

On 02/13/2012 07:45 PM, Calderon, Juan Carlos (GE, Corporate,
consultant) wrote:
> I understand authentication to these documents is not an issue what is
> an issue is directory listing. IIS prevents this by default so I assume
> you are using Apache, Tomcat or another server. So the best way to
> prevent this issue is to modify your .htaccess file to avoid listing
> files:
>
> Here is an example of how to use it
> http://www.javascriptkit.com/howto/htaccess11.shtml
>
> Regards,
> Juan C Calderon
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Alexander Pick
> Sent: Wednesday, February 08, 2012 3:11 AM
> To: Thugzclub Thugzclub
> Cc: security-basics (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Re: Directory Scanner
>
> Another idea is to proxy your download URLs through a script and hide
> the real files outside the web root.
>
> If you do it in PHP it's pretty simple (header + read file + bit
> security). Just make sure to make the script secure in terms of
> directory transversal etc., many people hide their downloads for
> security and create even bigger holes with bad scripts.
> You can also add all sort of attack detection to it, like recording the
> hit count of an IP to it and auto locking the downloads after a certain
> amount.
>
> Hope this helps.
>
> greets,
> Alex
>
>
>
>> A question:
>>
>> Given a website URL like the below :
>>
>> http://www.companywebsite.com/resources/resources/whitepapers/document
>> _1_wp.pdf
>> http://www.companywebsite.com/resources/resources/whitepapers/document
>> _arbinatryname__wp.pdf
>>
>> How can I protect somebody from enumerating the list of file on this
>> "whitepapers" directory ? What tool can I use to make sure that I am
>> adequately protected against this ?
>> Cheers
>>
>> ----------------------------------------------------------------------
>> -- Securing Apache Web Server with thawte Digital Certificate In this
>> guide we examine the importance of Apache-SSL and who needs an SSL
>>
> certificate. We look at how SSL works, how it benefits your company and
> how your customers can tell if a site is secure. You will find out how
> to test, purchase, install and use a thawte Digital Certificate on your
> Apache web server. Throughout, best practices for set-up are highlighted
> to help you ensure efficient ongoing management of your encryption keys
> and digital certificates.
>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
>> 42f727d1
>> ----------------------------------------------------------------------
>> --
>>
>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]

SECURITY TOOLS TREE Feb 08 2012 03:30PM
mc (mccansecure gmail com) (5 replies)

Re: SECURITY TOOLS TREE Feb 09 2012 05:20PM
Christopher Siedlecki (christopher sied gmail com)

Re: SECURITY TOOLS TREE Feb 09 2012 08:17AM
gold flake (ptinstructor gmail com) (1 replies)

Re: SECURITY TOOLS TREE Feb 09 2012 12:38PM
Vedantam Sekhar (vedantamsekhar gmail com)

Re: SECURITY TOOLS TREE Feb 08 2012 05:38PM
RobOEM (rd seclists gmail com)

Re: SECURITY TOOLS TREE Feb 08 2012 05:06PM
Mrs. Y (networksecurityprincess gmail com)

Re: SECURITY TOOLS TREE Feb 08 2012 03:46PM
synja synfulvisions com

Re: Directory Scanner Feb 08 2012 07:13AM
Steven (swierckxlists gmail com)