Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable Directory Listing in IIS

In my web application all the .aspx pages resides in Pages directory. The project structure is shown below:

enter image description here

The Home.aspx is set as Start Page and the Web.config file of the Pages folder contains:

<configuration>
<location path="Secured">
    <system.web>
    <authorization>     
        <deny users="?"/>
        <allow users="*"/>
    </authorization>
    </system.web>
</location>
</configuration>

And the main Web.config has:

<authentication mode="Forms">
  <forms loginUrl="~/Pages/Login.aspx" timeout="2880" defaultUrl="~/Pages/Secured/Home.aspx" />
</authentication>

So when the application launches it redirects to the Login page with the URL:

http://localhost:2453/Pages/Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

Now if I delete the

Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

from that URL and press enter it is taking me to the Directory Listing:

enter image description here

What I want that it will again send me to the Login page located at

http://localhost:2453/Pages/Login.aspx

How can I achieve this? Your help be appreciated.

Thanks.

The localhost: enter image description here

like image 217
Tapas Bose Avatar asked Mar 21 '12 14:03

Tapas Bose


People also ask

Why am I getting a directory listing instead of my site?

If you are expecting to see an existing site however, and instead you see the directory listing something has gone wrong somewhere. The file may have been infected via a php injection attack and removed by a malware scanner. The site may have been attacked. Your account password may not be very secure.


2 Answers

You need to disable directory browsing from IIS or from the web.config

<configuration>
  <location path="Secured">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

this entry above applies to IIS 7+, for IIS 6 you'll have to do it from IIS Manager

like image 142
scartag Avatar answered Oct 05 '22 23:10

scartag


There are 2 ways using which you can disable the Directory Listing: This has been tested & works for IIS 10.

1. Web.config

<configuration>
   <system.webServer>
       <directoryBrowse enabled="false" /> <!--this line will disable directory browsing-->
   </system.webServer>
</configuration>

2. IIS

Go to Internet Information Services(IIS) and look for the Directory Browser option. Select it and on the right corner you see an option Open Feature. Click on it and it will take you to another tab. Now select Disable and you see that the browsing has been disabled.

IIS manager IIS Directory Browsing

like image 39
Tahir77667 Avatar answered Oct 06 '22 00:10

Tahir77667