David
Tue Jan 31 00:42:56 CST 2006
> We have a directory that stores .txt data files. If there are no direct
> links on any of the pages to the files (asp and asp.net -> the links
> are created dynmically), can a hacker get the names of the txt files in
> that directory?
I assume that your question is about security.
From a security perspective, your question is moot point. It is assumed that
if you make a resource available via a URL that it will be accessed by
everyone good or bad. In other words, there is no such thing as "security
through obscurity"; lack of direct links do not prevent unauthorized access.
Only authentication with authorization prevent unauthorized access.
For example, hackers do not need direct links to obtain list of files
available on a webserver -- they can simply attach a network sniffer to your
server and observe other legitimate users accessing resources and derive
available files. This is trivial recon work as far as hackers are concerned.
Modern hacker toolkits have such functionality built in where once they have
access to a few minutes of your network's traffic, they can gather enough
data to be able to make a roadmap of your network and servers, make queries
against this database to find things of interest (files, server types and IP
address, databases, etc) and start hacking them.
There is no such thing as "security through obscurity".
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23%23uhD6fJGHA.1032@TK2MSFTNGP11.phx.gbl...
> a) If directory browsing is enabled, then the outside user can obtain a
> directory listing via HTTP (if there is no default document)
>
> b) If WebDAV is enabled (or FPSE), and the outside user has a valid
> Windows
> user account (or you have anonymous read access enabled with WebDAV) the
> outside user may be able to open the subfolder as a "web folder" in IE or
> Windows XP, and get a file listing that way
>
> c) If the user can somehow run some code on your system (e.g. they also
> have
> a website on your server). They could potentially use the File System
> Object
> (FSO) to obtain a listing of files in your website (dependant on NTFS
> permissions)
>
> d) If the user can somehow get any other access to the server (e.g. Remote
> Desktop) they'd obviously be able to get access to the file system and
> have
> a look at what files are there (via Explorer)
>
> But generally, the answer is "no" - you'd need to change the default
> configuration of IIS (or Windows) for a completely unknown, anonymous,
> user
> out there is get your file listing. The only option they would have would
> be
> "brute force" (i.e. guess at the file names one after the other).
>
> Cheers
> Ken
>
> <gabedog@gmail.com> wrote in message
> news:1138664987.848645.264410@g14g2000cwa.googlegroups.com...
> : Is it possible that if someone knows a sub directory on a website, that
> : they can use a utility to find the names of files in that directory?
> :
> : We have a directory that stores .txt data files. If there are no direct
> : links on any of the pages to the files (asp and asp.net -> the links
> : are created dynmically), can a hacker get the names of the txt files in
> : that directory?
> :
> : Thanks,
> :
> : Gabe
> :
>
>