Package: apache2-bin Version: 2.4.62-1~deb12u2 Severity: normal Dear Maintainer,
Description On Debian-packaged Apache, apachectl -S shows a Main DocumentRoot of /var/www/html even when that path is not defined in the active runtime vhost configuration (sites-enabled) or other configs. In my setup, direct IP requests (or requests with an unmatched Host header) can fall back to this implicit main context and serve content from /var/www/html, which is not explicitly declared in the active configs. This is problematic from a security/operations perspective because Apache serves content that is not visible in the active sites-enabled configuration. Environment Debian (Debian-packaged Apache) apache2-bin/oldstable-security,now 2.4.62-1~deb12u2 amd64 Steps to reproduce Configure Apache with named virtual hosts in sites-enabled, each with explicit DocumentRoot paths (not /var/www/html). Ensure Debian default site configs (000-default.conf, default-ssl.conf) are not enabled. Check runtime config: apachectl -S shows active vhosts from sites-enabled/... apachectl -S also shows: Main DocumentRoot: "/var/www/html" Confirm included files: apachectl -t -D DUMP_INCLUDES 000-default.conf / default-ssl.conf are not included Confirm no global DocumentRoot /var/www/html in active config: grep -RIn --perl-regexp '^\s*DocumentRoot\s+' /etc/apache2 only vhost-specific DocumentRoot values are present in sites-enabled Request the server by IP directly (or with an unmatched Host header), e.g.: curl http://<server-ip>/ Actual result Apache may serve content from /var/www/html via the implicit Main DocumentRoot fallback context, even though /var/www/html is not explicitly configured in active sites-enabled vhost files. Expected result Apache should not serve content from an implicit package/binary default document root unless it is explicitly configured in the active runtime configuration, or this behavior should be clearly documented and easier to disable. Additional observations strings /usr/sbin/apache2 | grep -i "var/www\|htdocs\|document" shows /var/www/html in the binary, suggesting a package/binary-level default/fallback is present. Notes / mitigation A local mitigation is to define an explicit catch-all default vhost (deny/empty) as the first vhost on each IP:port (:80, :443), but the implicit fallback behavior is still surprising and not obvious from active vhost config alone. -- Package-specific info: -- System Information: Debian Release: 12.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.8.12-18-pve (SMP w/20 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2-bin depends on: ii libapr1 1.7.2-3+deb12u1 ii libaprutil1 1.6.3-1 ii libaprutil1-dbd-sqlite3 1.6.3-1 ii libaprutil1-ldap 1.6.3-1 ii libbrotli1 1.0.9-2+b6 ii libc6 2.36-9+deb12u13 ii libcrypt1 1:4.4.33-2 ii libcurl4 7.88.1-10+deb12u12 ii libjansson4 2.14-2 ii libldap-2.5-0 2.5.13+dfsg-5 ii liblua5.3-0 5.3.6-2 ii libnghttp2-14 1.52.0-1+deb12u2 ii libpcre2-8-0 10.42-1 ii libssl3 3.0.17-1~deb12u3 ii libxml2 2.9.14+dfsg-1.3~deb12u2 ii perl 5.36.0-7+deb12u2 ii zlib1g 1:1.2.13.dfsg-1 apache2-bin recommends no packages. Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii google-chrome-stable [www-browser] 141.0.7390.107-1 Versions of packages apache2 depends on: ii apache2-data 2.4.62-1~deb12u2 ii apache2-utils 2.4.62-1~deb12u2 ii init-system-helpers 1.65.2 ii media-types 10.0.0 ii perl 5.36.0-7+deb12u2 ii procps 2:4.0.2-3 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages apache2 recommends: ii ssl-cert 1.1.2 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii google-chrome-stable [www-browser] 141.0.7390.107-1 Versions of packages apache2-bin is related to: ii apache2 2.4.62-1~deb12u2 ii apache2-bin 2.4.62-1~deb12u2 -- no debconf information
