| This can be mildly problematic, for example, when a user places a sensitive data file that's required by a CGI script in a web directory. The data file must be readable by user "nobody", which generally means it must be world-readable. Without the automatically generated index file, a web site visitor couldn't ordinarily read the data file unless they could guess its name. Still, this example is weak, as it illustrates the flawed, yet all-too-common, principle of "security through obscurity." No examples were obvious to the authors of this script that didn't rely on breaking the most obvious rule of web site creation, "don't put any sensitive files in a web directory with world readable permissions!" |