As a web application penetration tester, when you find directory browsing enabled on a web server, you include it in your report, but you know exploiting it is a long shot.
The main threat lies in the fact that the attacker can view all the files present on the web directory. This might include PHP files (or files in other web languages). If the attacker is dedicated enough, he will read these PHP codes to figure out a way to circumvent security.
Directory Browsing Vulnerability in Mutillidae
An attacker can review the code behind these PHP scripts to find potential weaknesses
Explains how to make a directory show a list of files without an index file. Crowd No More
ReplyDelete