Accessing multiple sites via HTTPS produces different, unrelated content (Peugeot club via HTTPS)
This is likely a server misconfiguration, since all those websites are served from 95.173.215.72
.
When opening one of the websites via HTTPS, my browser warns me that the certificate common name, which must match the website domain, is invalid.
I guess those websites aren't supposed to be acccessible via HTTPS, since Apache isn't configured to deliver the correct certificate, and seems to load the default website (forum.205gti.org
).
As far as I know, this isn't a security vulnerability.
You might also be asked to add a temporary security exception to view the content.
This is a typical issue when multiple sites share the same IP address and some of these have HTTPS enabled and some not. In this case often a default certificate and site will be served where the certificates subject does not match the domain in the URL - and this results in a certificate validation failure which leads to the warning you see.
Given that users are not supposed to simply click through such warnings this simple means that the site is effectively (i.e. for users which don't skip warnings) not available by HTTPS. But, just being not accessible by HTTPS is not a security issue by itself. In other words: I fail to see a security problem here. And you also only claim that there is a security problem but don't really explain what it exactly is. Note that are alternative ways do deal with a situation where some sites on the same IP address have HTTPS enabled and some don't. Instead of serving some default site some setups simply serve nothing, i.e. result in some connection error. But essentially both cases mean that there will be no content served by the user.
But I see a different problem: you assume that it is ok just to ignore the explicit browser warnings and continue to access the site. If you have this mindset it is easy to mount a man in the middle attack against you since you will simply click through the same explicit warnings you get from the browser when visiting some site while being attacked. And being vulnerable to man in the middle attacks because of ignoring such warnings is the real security issue here.