3

I have the following Server Side Includes within an .html file called test.html...

<!--#include virtual="/cgi-bin/myScript.cgi"-->

<!--#include virtual="/includes/myFile.html"-->

When I view test.html live in my browser, myFile.html is being inserted/rendered just fine, however myScript.cgi is giving me

[an error occurred while processing this directive]

  • From the browser address bar, /cgi-bin/myScript.cgi is rendering output just fine, proving the file exists at the path and the permissions are correct (755).

  • The SSI handlers are set correctly as myFile.html is included just fine, proving the page is being parsed.

So if SSI is working and myScript.cgi is working, why isn't #include virtual working on this script?

As a side-note, this is on a cPanel hosting account and I have many other accounts (sites) at the server at the same hosting company with the same configuration. The others are all working as expected.

  • cPanel Version: 11.30.6 (build 3)
  • Apache version: 2.2.17
  • Architecture: x86_64
  • Operating system: linux
  • Perl version: 5.8.8
  • Kernel version: 2.6.18-194.32.1.el5
  • cPanel Pro: 1.0 (RC1)

The script simply returns the year from today's date as formatted text. The output is preceded by Content-type: text/html\n\n and it's not a new Perl script. It's working on the other accounts.

SDsolar
  • 155
  • 1
  • 1
  • 11
Sparky
  • 141
  • 1
  • 6

2 Answers2

1

My hosting company escalated the issue to cPanel, and to my embarrassment, it ended up being a setting in my .htaccess file that was missing after all.

The account that was working had this line, where the broken account, did not...

Options All -Indexes

All, by default, includes what the hosting company added in order to get it working...

Options +Includes +ExecCGI

Without +ExecCGI, it breaks as I described in my original posting.

Sparky
  • 141
  • 1
  • 6
0

Good troubleshooting in discovering that your SSIs work.
You have localized the problem to the CGI subsystem.

First of all, you need to make sure that you have set this in your .htaccess file:

Options ExecCGI

If your problem persists, you will need to look at your error log to find out the reason:

This error message is the same as a 500 error (which is generally what you get with errors in .htaccess itself) so the logs are where you will find the descriptive error message.

cPanel allows you to see your error logs.

They are your best friend.

In the error log section, cPanel will show you your client IP address that you are looking for - at the top. This is the IP address assigned by your ISP.

Modern versions of cPanel (like the one I use at Bluehost, Nov 2017), highlight the entries from your client, so the hack attempts don't distract you. If you don't have highlighting then use the Ctrl-F (Find) function of your browser to locate entries coming from you.

See the end of this answer for an example of all the hacking attempts they deal with. It is worth every penny to let them handle it rather than to try to run your own server out in the wild.

ANSWER: I believe your use of <!--#Include for CGI is the problem.

Most modern Apache servers need you to use: 

<!--#exec cgi="/cgi-bin/myScript.cgi" -->

instead of simply including the script.

==> Be sure your HTML file has a .shtm or .shtml extension.

Note that all /cgi-bin/ files need to have 755 permissions. - that means RWX for Owner and RX for Group & Public 

chmod 755 /cgi-bin/*

===> Never give 777 permissions to them or to the .htaccess file, or else someone from outside can easily alter them.

This shows is why it is good to use a hosting service instead of running your own server.

Sample log output of hacking attempts, mostly blocked by RBL:

enter image description here

SDsolar
  • 155
  • 1
  • 1
  • 11