The real question is what security problem are you honestly trying to solve by adding index.html? Because I can guarantee that index.html (or even `Options -Indexes`) will not solve it at all. Hiding indexes is security through obscurity, not real security.

If you have sensitive data or scripts in your MantisBT directory, then either you shouldn't have it in a public web root, or you should be configuring your server to protect it in some other way, like password or certificate based authentication.

Fix the root cause of the security issue. Don't try to wallpaper over the problem by turning off indexes ASD hoping no one will ever guess or find a link to what you're trying to hide. Certainly don't give users a false sense of security by handing out free index.html files all over the code base.

On Aug 6, 2012 8:36 AM, "Roland Becker" <roland@atrol.de> wrote:
> That's platform-dependant, so we can't use this as a global solution,
I agree, but we deliver also platform dependant .htaccess to restrict access
rights. (for example in core subdirectory)
Maybe this has been introduced to avoid security issues if MantisBT is installed
by dumb administrators, shared hosting, ....
Some kind of "minimum default security" out of the box.

I hope that also some of the more experienced MantisBT developers will respond
to share their knowledge.

Damien Regad <damien.regad@merckgroup.com> hat am 6. August 2012 um 16:21
geschrieben:> On 05/08/12 22:39, Roland Becker wrote:
> > I found that we use empty index.html files for example in most of the
> > library subdirectories to prevent browsing. Maybe using an empty
> > index.html is not the clean way for it, but works with most of the
> > web servers.
>
> I was thinking about doing that actually, hence my original message.
>
> > For Apache you can create a .htacess file in root directory of MantisBT
> > to prevent directory browsing also for all subdirectories.
>
> That's platform-dependant, so we can't use this as a global solution,
> and it goes back to what I wrote in the Issue, i.e. it's basically a web
> server config problem.
>
> At the end of the day, even with the index.html, users have an easy way
> of finding the names (and even contents) of the files as well as the
> directories structure so it maybe quite pointless to try and hide them
> (I guess that's what rombert meant by
>
> > Robert Munteanu <robert.munteanu@gmail.com> hat am 2. August 2012 um 11:09
> >> What would we gain? It's not like we hide the files we have in the
> >> Mantis source tree.
>
> D
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mantisbt-dev mailing list
> mantisbt-dev@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mantisbt-dev

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev