Directory listing on phpMyAdmin with DirectAdmin

Hello,

It must be directory listing is allowed either globally on your server or per virtual host.

Do you have the issue only on one domain or on all domains from your server?

Disable directory listing in your web-server settings or in .htaccess.
 
Hello,

It must be directory listing is allowed either globally on your server or per virtual host.

Do you have the issue only on one domain or on all domains from your server?

Disable directory listing in your web-server settings or in .htaccess.

It's only on phpMyAdmin on all accounts. Other directories are protected.
 
OK, I can confirm. We see the same situation on some servers. To fix it add this code:

Code:
<Directory "/var/www/html">
     Options -Indexes
</Directory>
<Directory "/var/www/html/*/log">
     Deny from all
</Directory>
<Directory "/var/www/html/*/sql">
     Deny from all
</Directory>

into /etc/httpd/conf/extra/httpd-includes.conf

and restart apache.
 
Thank you Alex. It solved the problem. But as you said you confirmed there are same issues on some other servers, I think DA must have an update to cover this problem.
 
Ticket #3459 created with Directadmin staff: "PhpMyAdmin logs available through Apache". I'm sure they will fix it soon.
 
I don't think this is a security issue. I have looked around and I don't see any important files. And by disabling directory listing you're only hiding the files all servers will have anyway; so if you know the file names you can type them in manually.

Having said that there is no reason to have directory listing enabled, I too think it should be changed in the default configs.
 
You can get a list of valid usernames in phpmyadmin logs and IPs of users who accessed phpMyAdmin with a specified username. I consider it a security issue.
 
Back
Top