or almost never add Options +Indexes to your .htaccess file
Yesterday I had the bad idea to create a quick frontend solution for a backend problem: Accessing all available files in a folder on the server.
Accessing files on the client machine is nowadays no problem any more, but my attempt was to get access to files lying on the server without coding or a service that has to be implemented.
I remembered the possibility to allow the directory listing for configured folders. To achieve this you simply have to add a .htaccess file into each folder, allowing this.
.htaccess:
Options +IndexesSo I gave it a try.
Inside data I placed my .htaccess file and the other files I want to request.
To access those via JavaScript I created a small page check.html with the following content.
check.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<script>
(async () => {
const result = await fetch('./data')
const files = await result.text()
console.log(files)
})()
</script>
</body>
</html>Requesting the page in the browser puts this into the developer console, HTML for a directory listing.
So far so good or bad, but what if I try to move to another location from this. Let’s try and change the path to the following.
const result = await fetch('./data/../js/') And also this works. It gives me the content of this folder without having a .htaccess file placed inside.
So if you can guess the folder structure, it is possible to get things the creator never wanted you to let see.
This leads to the rule: Never give access to the filesystem on the server using .htaccess.
