Return-Path: 
 <users-return-107855-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B681F10B94
	for <apmail-httpd-users-archive@www.apache.org>;
 Tue,  5 Nov 2013 21:08:46 +0000 (UTC)
Received: (qmail 38962 invoked by uid 500); 5 Nov 2013 21:08:43 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 38913 invoked by uid 500); 5 Nov 2013 21:08:43 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 38905 invoked by uid 99); 5 Nov 2013 21:08:43 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Nov 2013 21:08:43 +0000
X-ASF-Spam-Status: No, hits=-0.1 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [155.52.251.17] (HELO phsmgmx14-outx.partners.org)
 (155.52.251.17)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Nov 2013 21:08:39 +0000
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 AoIGAMpdeVKsG6iw/2dsb2JhbABYgkN8U786gUJtB4InBS1eAQwBHUMTJgEEG8ZvjyiDWIEPA45UnmWCKg
Received: from phsx10ht4.partners.org ([172.27.168.176])
  by phsmgmx14-out.partners.org with ESMTP/TLS/AES128-SHA;
 05 Nov 2013 16:08:14 -0500
Received: from PHSX10MB6.partners.org ([169.254.6.242]) by
 PHSX10HT4.partners.org ([172.27.168.176]) with mapi id 14.02.0318.004; Tue, 5
 Nov 2013 16:08:14 -0500
From: "Kaplan, Andrew H." <AHKAPLAN@PARTNERS.ORG>
To: "users@httpd.apache.org" <users@httpd.apache.org>
Thread-Topic: Disabling Web Directories Listing in Apache
Thread-Index: Ac7aayQJL3FXMCqlSRe66CmqP16rtA==
Date: Tue, 5 Nov 2013 21:08:14 +0000
Message-ID: <4E194A85C5A6CF4E88D0E7635770CAD5287D8F45@PHSX10MB6.partners.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.2.0.19]
Content-Type: multipart/alternative;
	boundary="_000_4E194A85C5A6CF4E88D0E7635770CAD5287D8F45PHSX10MB6partne_"
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: [users@httpd] Disabling Web Directories Listing in Apache

--_000_4E194A85C5A6CF4E88D0E7635770CAD5287D8F45PHSX10MB6partne_
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello --

I am going through the motions of securing our Apache webserver. The server=
 is the 2.2.15 package bundled with the CentOS 6.3 distribution.
One of the items that is being dealt with is the web directories listing vu=
lnerability. My plan is to modify the following line in the httpd.conf file:

Options Indexes FollowSymLinks

to read as follows:

Options FollowSymLinks

Is this the correct course of action, or is there another line that should =
be modified either in addition to or instead of the aforementioned line?

Thanks.




The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-ma=
il
contains patient information, please contact the Partners Compliance HelpLi=
ne at
http://www.partners.org/complianceline . If the e-mail was sent to you in e=
rror
but does not contain patient information, please contact the sender and pro=
perly
dispose of the e-mail.

--_000_4E194A85C5A6CF4E88D0E7635770CAD5287D8F45PHSX10MB6partne_
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left:=
 #800000 2px solid; } --></style>
</head>
<body>
<font face=3D"Arial" size=3D"3"><span style=3D"font-size:12pt;">
<div>Hello --<br>

<br>

I am going through the motions of securing our Apache webserver. The server=
 is the 2.2.15 package bundled with the CentOS 6.3 distribution. </div>
<div>One of the items that is being dealt with is the web directories listi=
ng vulnerability. My plan is to modify the following line in the httpd.conf=
 file: </div>
<div>&nbsp;</div>
<div><b>Options Indexes FollowSymLinks </b></div>
<div>&nbsp;</div>
<div>to read as follows: </div>
<div>&nbsp;</div>
<div><b>Options FollowSymLinks </b></div>
<div>&nbsp;</div>
<div>Is this the correct course of action, or is there another line that sh=
ould be modified either in addition to or instead of the aforementioned lin=
e?<br>

<br>

Thanks. </div>
<div>&nbsp;</div>
<div><font size=3D"2"><span style=3D"font-size:10pt;">&nbsp;</span></font><=
/div>
</span></font>
<p></p>

<p>The information in this e-mail is intended only for the person to whom i=
t is<br>
addressed. If you believe this e-mail was sent to you in error and the e-ma=
il<br>
contains patient information, please contact the Partners Compliance HelpLi=
ne at<br>
http://www.partners.org/complianceline . If the e-mail was sent to you in e=
rror<br>
but does not contain patient information, please contact the sender and pro=
perly<br>
dispose of the e-mail.</p></body>
</html>

--_000_4E194A85C5A6CF4E88D0E7635770CAD5287D8F45PHSX10MB6partne_--