Should ExecCGI be removed from the public_html folder apache directive?

shoulders · February 15, 2024, 1:30pm

My understanding is that ExecCGI is the command that can enable or disable the running of a CGI.

In the code below it looks like the apache directive is allowng the enabling of CGI apps in the root of the public_html folder.

So my question is, should ExecCGI be removed from the public_html folder or have I missed something, perhaps this is required for PHP to be run?

ScriptAlias /cgi-bin/ /home/example/cgi-bin/
DirectoryIndex index.php index.htm index.html
<Directory /home/example/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<Directory /home/example/cgi-bin>
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
ProxyPass /.well-known !
RewriteEngine on

Joe · February 15, 2024, 5:11pm

AllowOverride means .htaccess can override the default configuration. The default configuration does not have ExecCGI.

You can, of course remove it, if you don’t want to allow that to be overriden by .htaccess. Historically it was pretty common to run CGI scripts in public_html, too, but much less so these days.

shoulders · February 15, 2024, 5:22pm

gotcha, i wasn’t sure if it was a security risk.

Joe · February 15, 2024, 7:25pm

Presumably you allow execution of PHP in public_html, if you’ve got any web apps installed. So, if a remote attacker gains ability to write to public_html, it’s already over. There would be no need to modify .htaccess to run scripts, they’d just drop a PHP shell in public_html and be done.

system · April 15, 2024, 7:25pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.