No CGI for a domain should not have Options Includes (SECURITY)(TEMPLATES)

Version 1.514


If you disable CGI for a domain, "Includes" is now removed from the Options list the AllowOverride list. If you have CGI enabled, then cgi based server-side includes are allowed. Reasoning: Adding IncludesNoExec does not negate the exec portion of already added Includes Option because it's a binary "OR" so "+Includes +IncludesNoExec" *does* allow exec, which is not what we want. Must be "-Includes +IncludesNoExec" ================================================================= IMPORTANT: If you have CGI disabled, but have an .htaccess with: Options +Includes you will get an internal server error, so change it to be: Options +IncludesNoExec ================================================================= TEMPLATES: Changes to the 4 virtual_host2*.conf files for the CGI=off case: Token now set to: |?ALLOW_OVERRIDE=AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None| where Includes has been removed from the AllowOverride as well: |*if CGI=""| |ALLOW_OVERRIDE| Options -ExecCGI -Includes +IncludesNOEXEC |*endif| so Includes is not allowed without CGI, which is correct (as server-side includes exec have the same permissions as cgi-bin files)

Interested to try DirectAdmin? Get a 30-day Free Trial!