After MyWebResource was hacked, I discovered that cPanel had this nice little feature to manage Apache indexes. The problem is, by default, this feature is set to fancy indexing. This basically means that if you do not have a index.* in every folder, Apache will generate one for you, thus allowing anyone in the world to browse the folder structure of your site. NOT GOOD!
....
I may just be p@r@n01d, but hey, If you're not p@r@n01d, your're not paying attention.
/2 cents
Best Regards,
JMorris
While I agree that placing such files is a good practice, I don't agree when you make il look like they are needed for site security nor I agree that letting people browse the folder structure of the site should make throw a fit.
If you set the right permissions for the few sensitive folders, you are set (yet, put those index and .htaccess in _every_ 777 flagged folder - they are possible open holes already even after that). Either the curious "digging" user will see nothing (when opens a PHP file -> Apache executes them, not show the source) or will see some random picture he'd see browsing the site anyway.
Of course security by obfuscation helps, but it's not enough. You may place every index.html and .htaccess in the world but if you don't protect the sensitive folders with true system rights anyone knowing how XOOPS works can attempt breaking into your site.
This is the only thing I never liked of XOOPS and other easy to install portals, too often the modules want for you to create 777 flagged folders and then slap stuff inside them. After some time installing and uninstalling stuff, the amount of freely accessible folders tends to grow, and the more the worse.
And if you get co-workers or consultants working on the site, they very easily tend to mess with freely accessible folder rights the first time they get some access denied developing their stuff.