MB-R005 — No directory listing

C01 File & Folder Permissions Medium

Public web directories should not allow automatic directory indexing. Directory listing can expose file names, configuration fragments, and sensitive assets. Ensure the web server (Nginx/Apache) is configured to return 403/404 for requests without index files to reduce information leakage.

Why it Matters

Public folders should never allow automatic directory listing. If directory browsing is enabled, visitors can see every file name and structure inside those folders. Even if the files look harmless, attackers often use this information to plan attacks, find hidden scripts, or download sensitive files.

Disabling directory listing makes the system less transparent to attackers. It reduces information leaks and forces an attacker to work harder instead of simply browsing your files like a public index.

Verification Steps

Manual (Unix / Browser)

# Try to open a folder URL without index.php or index.html
https://yourstore.com/media/
https://yourstore.com/pub/static/

# If you see a file list, directory listing is enabled (bad).
# If you see 403 Forbidden or 404 Not Found, it is disabled (good).

Remediation / Fix Guidance

Update web server settings to turn off directory listing:
- Apache: make sure Options -Indexes is set.
- Nginx: add autoindex off; inside server or location blocks.
Confirm by testing main public folders (pub/, media/, static/).
Review future server configs to ensure listing is always disabled.

Examples

Fail Example

# Browser shows full file list
Index of /media/
  file1.jpg
  backup.zip

Pass Example

# Browser shows forbidden message
403 Forbidden
# or custom error page

References

OWASP Top 10 — A05: Security Misconfiguration