Group, I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No other apps run on the server, for example, there is no Apache httpd running. I have been tasked with disabling directory indexing based on a security scan that provided this infomation:
Vulnerability Identified: Directory Indexing on Web Server Severity: Low Description: Verizon Business identified that a web server allows its directory contents to be displayed, including any documents that were not intended to be hyperlinked from other pages. Impact: Attackers could discover potentially sensitive documents that were not intended to be found. These documents may assist attackers in crafting future attacks against the web server or any applications hosted on it. Recommendation: Verizon Business recommends disabling directory indexing by modifying the web servers configuration. For the IBM HTTP server and Apache, directory indexing can be disabled by removing the following line for the directory configuration: Options Indexes In Microsoft IIS, directory indexing can be disabled by deselecting the Directory Browsing option for the affected directory. Does this request make sense? I ask because I can't find any information on directory indexing for Tomcat, although disabling it in Apache is easy enough. Thanks for any guidance! David unixhound at gmail.com
