Best practices securing HTTP/HTTPS (continued)...


Server Side Includes continued...

Another solution is to disable the ability to run scripts and programs from SSI pages. To do this replace Includes with IncludesNOEXEC in the Options directive in the Apache configuration file. 

Note that users may still use <--#include virtual="..." --> to execute CGI scripts if these scripts are in directories designated by a ScriptAlias directive.

CGI in General

First of all, you always have to remember that you must trust the writers of the CGI scripts/programs.  CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user and can therefore be extremely dangerous if they are not carefully checked.

All the CGI scripts will run as the same user, so they have potential to conflict with other scripts.  One program which can be used to allow scripts to run as different users is suEXEC which is included with Apache as of 1.2. Another popular way of doing this is with CGIWrap.