Stop Apache from serving content from apache root directory

StackOverflow https://stackoverflow.com/questions/23188429

  •  06-07-2023
  •  | 
  •  

Question

I noticed this by chance earlier and after a quick Google, really couldn't find anything to help. I'm genuinely having trouble even explaining the problem!

When I access http://mydomain.com/error/README I appear to be getting the error readme found in /var/www/error/README. My virtual host for mydomain.com is document root is pointing to /var/www/html/mydomain, and /var/www/html/mydomain/error/ does not exist.

Naturally I feel this shouldn't be happening and although I haven't been able to replicate it, my main concern is that a user could in fact access anything off of /var/www/ not just /var/www/error/

Linux version: CentOS release 6.5 (Final)

Apache version: Apache/2.2.15

My virtual host file is: 

NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName mydomain.com
    ServerAlias www.mydomain.com

    DocumentRoot /var/www/html/mydomain
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/html/mydomain/>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    LogLevel error
    CustomLog /var/log/httpd/mydomain_access.log combined
    ErrorLog /var/log/httpd/mydomain_error.log
</VirtualHost>

Naturally I feel this shouldn't be happening and although I haven't been able to replicate it, my main concern is that a user could in fact access anything off of /var/www/ not just /var/www/error/

Was it helpful?

Solution

You probably have the following directive in your httpd.conf:

Alias /error/ "/var/www/error/"

This just redirects all your error queries to /var/www/error (e.g. if you need www.example.com/error/README it would redirect me to one of the README in that director). Removing the alias should fix your problem.

If you are concerned about access to your other directories then I, as a complete newbie to apache, would recommend.

  1. Auditing your httpd.conf and removing any aliases that you don't need.
  2. Modifying your containers to have "Deny from all" and "AllowOverride None" in all of them.
  3. If you have selinux enabled, then remove the httpd security contexts from those directories.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top