Information
The Apache 'Options' directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation.
Refer to the Apache 2.2 documentation for details
[http://httpd.apache.org/docs/2.2/mod/core.html#options](http://httpd.apache.org/docs/2.2/mod/core.html#options).
Rationale:
The options for other directories and hosts should be restricted to the minimal options required. A setting of 'None' is recommended; however, it is recognized that other options may be needed in some cases:
- 'Multiviews' is appropriate if content negotiation is required, such as when multiple languages are supported.
- 'ExecCGI' is only appropriate for special directories dedicated to executable content, such as a 'cgi-bin/' directory. That way you will know what is executed on the server. It is possible to enable CGI script execution based on file extension or permission settings, but this makes script control and management almost impossible as developers may install scripts without your knowledge.
- 'FollowSymLinks' & 'SymLinksIfOwnerMatch': The following of symbolic links is not recommended and should be disabled if possible. The usage of symbolic links opens up additional risk for possible attacks that may use inappropriate symbolic links to access content outside of the document root of the web server. Also consider that it could be combined with a vulnerability that allows an attacker or insider to create an inappropriate link. The option 'SymLinksIfOwnerMatch' is much safer in that the ownership must match in order for the link to be used, but keep in mind there is additional overhead created by requiring Apache to check the ownership.
- 'Includes' & 'IncludesNOEXEC': The 'IncludesNOEXEC' option should only be needed when server side includes are required. The full 'Includes' option should not be used because it allows execution of arbitrary shell commands. See Apache Mod Include for details [http://httpd.apache.org/docs/2.2/mod/mod_include.html](http://httpd.apache.org/docs/2.2/mod/mod_include.html).
- 'Indexes' causes automatic generation of indexes if the default index page is missing, so it should be disabled unless required.
Solution
Perform the following to implement the recommended state:
1. Search the Apache configuration files ('httpd.conf' and any included configuration files) to find all '<Directory>' elements.
2. Add or modify any existing 'Options' directive to NOT have a value of 'Includes'. Other options may be set if necessary and appropriate as described above.