<!--#config errmsg="Bungled again!"-->
We're now going to execute 'cmd="ls -l"'':
<< <!--#exec cmd="ls -l"--> >>
and now /usr/www/APACHE3/cgi-bin/mycgi.cgi:
<< <!--#exec cgi="/cgi-bin/mycgi.cgi"--> >>
and now the 'virtual' option:
<< <!--#include virtual="/cgi-bin/mycgi.cgi"--> >>
That was it.

We're now going to execute 'cmd="ls -l"'':
<< total 24
-rw-rw-r--  1 414  xten   39 Oct  8 08:33 another_file
-rw-rw-r--  1 414  xten  106 Nov 11  1997 echo.shtml
-rw-rw-r--  1 414  xten  295 Oct  8 10:52 exec.shtml
-rw-rw-r--  1 414  xten  174 Nov 11  1997 include.shtml
-rw-rw-r--  1 414  xten  206 Nov 11  1997 size.shtml
-rw-rw-r--  1 414  xten  269 Nov 11  1997 time.shtml
 >>
and now /usr/www/APACHE3/cgi-bin/mycgi.cgi:
<< Have a nice day
 >>
and now the 'virtual' option:
<< Have a nice day
 >>
That was it.

A prudent webmaster should view the cmd and cgi options with grave suspicion, since they let writers of SSIs give both themselves and outsiders dangerous access. However, if he uses Options +IncludesNOEXEC in conf/httpd2.conf, stops Apache, and restarts with ./go 2, the problem goes away:

We're now going to execute 'cmd="ls -l"'':
<< Bungled again! >>
and now /usr/www/APACHE3/cgi-bin/mycgi.cgi:
<< Bungled again! >>
and now the 'virtual' option:
<< Have a nice day
 >>
That was it.

Now, nothing can be executed through an SSI that couldn't be executed directly through a browser, with all the control that this implies for the webmaster. (You might think that exec cgi= would be the way to do this, but it seems that some question of backward compatibility intervenes.)

Apache 1.3 introduced the following improvement: buffers containing the output of CGI scripts are flushed and sent to the client whenever the buffer has something in it and the server is waiting.

14.3. Includes		14.5. Echo