The following lines were added (+) and removed (-):
Options Indexes FollowSymLinks MultiViews Includes Options Indexes FollowSymLinks MultiViews '''Includes'''If the /usr/local/www is your document root "DocumentRoot" then the above will enable SSI for it and sub directories. Virtual directories in other paths will not allow SSI. Most configurations contain multiple Options directives that can override each other. You will probably need to apply the Options to the specific directory where you want SSI enabled.If the /usr/local/www is your document root "DocumentRoot" then the above will enable SSI for it and sub directories. The "Options Includes" is what makes it happen, the rest is included as other example directives. Virtual directories in other paths will not allow SSI. Most configurations contain multiple Options directives that can override each other. You will probably need to apply the Options to the specific directory where you want SSI enabled.Quick Fix: Use "Options IncludesNoExec" to resolveUse "Options IncludesNoExec" to resolve. The exec command executes a given shell command or CGI script. Options IncludesNOEXEC disables this command completely so the server-side includes module cannot execute commands. It is recommended you do not use the Includes option but instead use IncludesNoExec. Example: Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExecSecurity issue: if the system is configured with "AllowOverride Options=IncludesNoEXEC", a local user can place "Options Includes" in a '.htaccess' file to cause Server Side Includes to be enabled with exec privileges. This is verified on Apache version 2.2.11 as a reported vulnerability.The exec command executes a given shell command or CGI script. It requires mod_cgi to be present in the server. If Options IncludesNOEXEC is set, this command is completely disabled.The exec command could potentially enable an attacker to execute commands on the system. The exec command requires mod_cgi to be present in the server.