My Drupal sites are showing contents of /sites/default and all other folders below /sites

I have a problem that could be something simple - but I can't get my head around it开发者_如何学Python at the moment. I have a few sites hosted on my Ubuntu 10.04LTS virtual server, and on all of them (Drupal 6) I can go directly to any folder below (and including) /sites (including the modules directory).

[edit] I've just realised I can go to ANY folder - ie /includes as well...[/edit]

I don't recall this being normal, and it certainly seems to be a security risk that I can get to the /sites/default folder - although I may be just being paranoid.

Can anyone confirm if this is normal, and if not point out what might be the root of my problem?

Cheers

Steve

You are not being paranoid, you are right, if your /sites/default directory is exposed, so is your settings.php file, which contains your database connection information (host, username, password). Since the mysql user that you have to create for Drupal has permissions for DROP TABLE, having your database exposed not only means an infiltration could show data, but also allows the infiltrated to destroy your database.

I found the problem - it was twofold:

First, for some reason my .htaccess files (generated by Drupal) were missing on some sites (I think this might have been a permissions problem with the root folder for the sites in question).

Second, I had a dodgy rule in the config files for each site that was over-riding the .htaccess file anyway - that will teach me to copy-paste from a web blog... found the correct layout for the mod_rewrite section on the Drupal site itself.

It was an odd one, and took a little finding, but its sorted now