KrazyWorks » WordPress Directory Listing Risk

December 27, 2011 – 12:22 am | 3 Comments

Some of the technical issues with Boxee Box could have been fixed if the dev team was paying more attention to addressing the bugs rather than adding “features” of dubious value. In the final analysis, for the price and ease of use, Boxee Box is the best in its class and price range. You just need to be mindful of its limitations and buy it in hope of future improvements to its usability.

Read the full story »

Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » WordPress

WordPress Directory Listing Risk

Submitted by Igor on June 11, 2009 – 11:36 pmNo Comment

A large number of WordPress directories do not have an index file. This is particularly dangerous in case of the plugins directory. If your server allows directory listings, a potential attacker may see which plugins you have installed. Most plugins have security vulnerabilities. One way of fixing this is by adding the following line to the .htaccess file in the Web server’s root (htdocs):

Options -Indexes

Another approach is to put an index file in each folder on your site that does not already have one. You can have this index file redirect the visitor back to the main page of your site. Create the /wp-content/index.html with 644 permissions and the following content:

<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com">

Now you can create a link in all directories under wp-content pointing to this index file. Thus, if you need to change this file in the future, you only need to modify one file. The script below will help you create the links from the wp-content directory:

#!/bin/ksh
 
cd ${HOME}/public_html/wp-content
 
if [ ! -f index.html ]
then
        echo '<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com">' > index.html
        chmod 644 index.html
fi
 
find . -type d | while read dir
do
        if [ `ls "${dir}" | egrep -c "index.html|index.htm"` -eq 0 ]
        then
                ln -s ${HOME}/public_html/wp-content/index.html "${dir}"/index.html
        fi
done

Popularity: 3% [?]

Applications »

OpenSUSE 11.4 Installation Overview

After enjoying taking apart Microsoft’s “cloud” Office 365 for the numerous shortcomings of its installation process, having to do the same for my favorite Linux distro – openSUSE – is rather upsetting. OpenSUSE installation routine went from nearly-flawless in 11.1 to mildly annoying in 11.3, arriving to moderately obnoxious in 11.4. What happened? Same as with Microsoft, poor installation workflow is to blame. One can always feel when desktop support people take over workflow tasks from server admins.

More articles »

Commands & Shells »

Compress Old Log Files on Linux

Most log files located in /var/log are part of the log rotation and will be compressed automatically. However, in many cases various user applications maintain log files outside of /var/log. These logs are not managed …

More articles »

Data »

Adding LUNs to VXVM on Linux

The following is a brief overview of the process for adding LUNs to VXVM under Linux. In our example we have an RHEL 5 server with existing LUNs and VXVM volume groups. Two new LUNs with multipathing were allocated from SAN and need to be added to the system to grow one of the volumes and the corresponding filesystem.

More articles »

Hardware »

Quick Review: Boxee Box

Some of the technical issues with Boxee Box could have been fixed if the dev team was paying more attention to addressing the bugs rather than adding “features” of dubious value. In the final analysis, for the price and ease of use, Boxee Box is the best in its class and price range. You just need to be mindful of its limitations and buy it in hope of future improvements to its usability.

More articles »

Monitoring »

Simple Host Monitoring with SSH

Sometimes you just need something very simple to monitor a server or an application on a temporary basis. A basic ping monitor is fine, but it will only tell you if a server is responding on the network. It will not tell you if there is some other problem on the system. The script below relies on passwordless SSH setup to periodically log into the monitored nodes and check on their health by executing a local or remote script.

More articles »

Networking »

Red Hat: Changing Hostname and IP

Changing hostname and IP is frequently required when a server is being moved from testing or development to production. The process is a fairly simple one, but steps must be performed in a certain order to avoid complications.

More articles »

Scripts »

Windows Network Troubleshooting Script

I try my best to stay away from Windows. I wish my clients did the same. The usual difficulty of troubleshooting elusive network performance problems is amplified many-fold when there is a Windows computer at the end of the line. With Unix it’s relatively simple: run tests “a”, “b”, “c”, etc and follow the familiar process of elimination. With Windows in the picture the number of steps uses up all of the English alphabet and spills over well into the Russian one. And when you finally reach step “я”, you have to pull out your Chinese dictionary.

More articles »

Air Guns Shake Up Earthquake Monitoring
sciencehabit writes "Petroleum geologists have long used air guns in their search for oil and gas deposits. Sudden blasts from the devices generate seismic waves that they use to map underground rock formations. Could the same technique be used to study earthquakes? A team of Chinese scientists thinks so. The researchers have designed an air gun that co […]
Half of Fortune 500s, US Agencies Still Infected With DNSChanger Trojan
tsu doh nimh writes "Two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies. Internet Identity, a Tacoma, Wash. company that sells sec […]
Ex-FCC Chair: Spectrum Plan "Single Worst Telecom Bill I've Seen"
alphadogg writes "Former FCC chairman Reed Hundt made waves when he called the House spectrum auction legislation 'the single worst telecom bill' he's seen. The legislation, which would severely restrict the FCC's ability to place conditions on spectrum auctions, is seen as a non-starter in the Senate where a bipartisan group of sena […]

Server Info

Server:	rowen.accountservergroup.com
OS    :	Red Hat 4.1.2-50
Kernel:	Linux 2.6.18-338.12.1.el5.lve0.8.34
Arch  :	64-bit OS running on 64-bit hardware 
CPU(s):	2 x 4-core Intel Xeon CPU E5620@ 2.40GHz
RAM   :	23Gb (99% used), 16 x 1Gb DIMMs
Swap  :	6Gb (0% used), paging in/out: 0/0
Uptime:	23 days
Load  :	.13, .14, .16
CPU % :	8 CPU cores at 16% combined utilization
Disk  :	util, svc time - sda: %, ms; 
Apps  :	MySQL 5.0.91, Perl 5.8.8
Issues:	occasional RAM shortages