Virtual host directory listing

Description

The web server is configured to display directory listings when requests are made with manipulated Host headers targeting common virtual host names or IP addresses. This misconfiguration occurs when the server lacks a proper default virtual host configuration or when virtual hosts are not correctly defined, causing the server to fall back to exposing directory contents. This behavior can reveal the server's file structure and potentially sensitive files to unauthorized users.

Remediation

Configure a default virtual host that does not expose directory listings and properly define all virtual hosts. For Apache servers, ensure each virtual host has a DocumentRoot with appropriate Options directives and configure a catch-all default virtual host:

# Default catch-all virtual host
<VirtualHost *:80>
    ServerName default
    DocumentRoot /var/www/default
    <Directory /var/www/default>
        Options -Indexes
        Require all denied
    </Directory>
</VirtualHost>

# Legitimate virtual host
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/example
    <Directory /var/www/example>
        Options -Indexes
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

server {
    listen 80 default_server;
    server_name _;
    return 444;
}

server {
    listen 80;
    server_name example.com;
    root /var/www/example;
    autoindex off;
}

References

Related Vulnerabilities