Apache default configuration - directory listing

Forum for questions and support relating to the 1.29.x releases only.
Post Reply
alexo
Posts: 6
Joined: Wed Feb 01, 2017 8:36 am
Location: Europe

Apache default configuration - directory listing

Post by alexo » Wed Feb 01, 2017 8:47 am

Hello,
I recently installed 1.29.0 on Debian Jessie (8.7). The default apache config file has the following:

Code: Select all

<Directory /usr/share/zoneminder/www>
  php_flag register_globals off
 Options Indexes FollowSymLinks
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
</Directory>
Now without login to ZM, I'm able to browse and view events folders :(
When I disable directory listing, it seems that ZM is working fine.
What feature/functionality requires the directory Indexing? Can I disable it?

How can I further secure the default install?

Thanks for your time.

bbunge
Posts: 2704
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: Apache default configuration - directory listing

Post by bbunge » Wed Feb 01, 2017 2:07 pm

Interesting... Just tried it on Debian 9 and Ubuntu 16.04 with http://ipaddress/zm/events and got the directory listing, too.

Will look into this...

bb

SteveGilvarry
Posts: 445
Joined: Sun Jun 29, 2014 1:12 pm
Location: Melbourne, AU

Re: Apache default configuration - directory listing

Post by SteveGilvarry » Wed Feb 01, 2017 7:29 pm

Remove it.
And put server behind VPN, and cameras on separate subnet with no internet access.
Production Zoneminder 1.35.x
Random Selection of Cameras (Dahua and Hikvision)
More Dev VM's than I care to count.

User avatar
MJN
Posts: 250
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK
Contact:

Re: Apache default configuration - directory listing

Post by MJN » Tue Feb 14, 2017 6:58 pm

I use Basic Authentication (inside HTTPS) to secure the whole ZM tree.

bbunge
Posts: 2704
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: Apache default configuration - directory listing

Post by bbunge » Tue Feb 14, 2017 8:45 pm

As posted in the 1.30.x area

Here is a "fix" to block the directory browsing. I must admit it is partly my fault..

For Ubuntu
Undo my "Fix to allow API to work" (back to the original configuration)

nano /etc/apache2/apache2.conf

Change All to None in two places as shown below

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Edit zoneminder.conf

nano /etc/apache2/conf-available/zoneminder.conf

Add a - before Indexes and a + before FollowSymLinks

<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks

Make sure the following is at the bottom of the file

<Directory /usr/share/zoneminder/www/api>
AllowOverride All
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Restart Apache

service apache2 reload

http://ip-addr/zm/events should now give you a Forbidden 403 error

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests