The following lines were added (+) and removed (-):
To permit SSI on your server, you must have the following directive either in your httpd.conf file, or in a .htaccess file:To permit SSI on your server, you <del>must</del> can have the following directive either in your httpd.conf file, or in a .htaccess file:Note that most configurations contain multiple Options directives that can override each other. You will probably need to apply the Options to the specific directory where you want SSI enabled.or there is another option. The above directive '''IS NOT NECESSARY''' if using something like the following: <Directory "/usr/local/www"> Options Indexes FollowSymLinks MultiViews '''Includes''' AllowOverride None Order allow,deny Allow from all </Directory> If the /usr/local/www is your document root "DocumentRoot" then the above will enable SSI for it and sub directories. The "Options Includes" is what makes it happen, the rest is included as other example directives. Virtual directories in other paths will not allow SSI. Most configurations contain multiple Options directives that can override each other. You will probably need to apply the Options to the specific directory where you want SSI enabled.The exec command executes a given shell command or CGI script. It requires mod_cgi to be present in the server. If Options IncludesNOEXEC is set, this command is completely disabled.You might see the following error in your error_log <!--#exec cgi="/cgi-bin/example.cgi" --> mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed <!--#include virtual="/cgi-bin/example.cgi?argument=value" --> Use "Options IncludesNoExec" to resolve. The exec command executes a given shell command or CGI script. Options IncludesNOEXEC disables this command completely so the server-side includes module cannot execute commands. It is recommended you do not use the Includes option but instead use IncludesNoExec. <!--#exec cmd="perl /path/to/perlscript arg1 arg2" --> Example: Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExecThe include virtual element should be used in preference to exec cgi.Security issue: if the system is configured with "AllowOverride Options=IncludesNoEXEC", a local user can place "Options Includes" in a '.htaccess' file to cause Server Side Includes to be enabled with exec privileges. This is verified on Apache version 2.2.11 as a reported vulnerability.The exec command could potentially enable an attacker to execute commands on the system. The exec command requires mod_cgi to be present in the server. <nowiki><!--#exec cgi="/cgi-bin/example.cgi" --></nowiki> <nowiki><!--#include virtual="/cgi-bin/example.cgi?argument=value" --></nowiki> <nowiki><!--#exec cmd="perl /path/to/perlscript arg1 arg2" --></nowiki> The include virtual element should be used in preference to exec cgi.[[Category:Security]][[Category:Apache]]