We're running Apache 2.2 on Debian Squeeze. We recently moved to a new server. The old server was running Apache 1.3 on Debian Sarge.
We run a number of sites on Apache, all using the names-based vhost files under /etc/apache2/sites-enabled. All our users or domains have this basic structure:
/home/domain_name/public_html/index.html (or index.php depending on the site).
Each of the various domain names is responding accordingly.
We also put in Maildir, log directories, work directories and script config files under /home/domain_name (but above public_html).
We discovered this problem by accident, if someone decided to call our server by the IP number, i.e., [#*$!.#*$!.#*$!.#*$!...] instead of any particular domain, then the entire directory structure under /home would be displayed, allowing anyone access to all the domains such as /home/domain_name and below. All the files above the public_html would be open to display.
A second related problem is that even if the directories are prevented from being displayed, if someone happens to know (or guesses) a sub directory of /home they could simply append any subdirectory name to our IP address and view those files.
Obviously this is a great security risk on both counts.
One person suggested we change everything to be under /var/www. Not only would it be very much less convenient, but the person couldn't explain why there would be any difference between the /home or the /var/www setups. Beyond that, all our sites are based on the /home setup and to change it would create huge issues. As a side note, our original server was under Redhat which used the /home arrangement.
Under Apache 1.3 this was not an issue as IP calls defaulted to our main web site, which was listed first in the httpd.conf file.
Obviously we don't want the /home directory to show. I would prefer either a blank page, an error page or a designated .html file. And a fix would need to prevent the second problem if someone guesses a directory name.
So our temporary (and inelegant) fix was to place a .htaccess file under /home (but above all the domain name directories, with:
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$"> Order allow,deny </FilesMatch>
I found this on the web somewhere. The result when calling the IP number is a 500 Internal Server Error. It prevents the directory from being exposed, but obviously isn't the right way to do this.