Webmasters might be willing to allow people to use server-side-includes which execute ScriptAliased cgi-scripts, but at the same time, they cannot allow server-side includes which can call any program/script.
This patch adds a new configuration Option for conf/access.conf called IncludesYesCGInoCMD which permits the desired behaviour.
If IncludesYesCGInoCMD is used, cgi-scripts can be included in server-side includes, but the less secure cmd variety of includes are rejected.
Add to the Options directive IncludesYesCGInoCMD e.g.
Options Indexes FollowSymLinks Includes IncludesYesCGInoCMD