Last week a server was hacked by uploading a perl script. An uploaded .htaccess made it possible to run that perl-script (AddHandler cgi-script and Options +ExecCGI).
Is there a solution that +ExecCGI cannot be set through .htaccess? Options and AddHandlers disabling alltogether is not a solution (used on other sites with other Handlers/Options)
Another thing to solve it: Allow only specific-files (formail.cgi, awstats.pl) to be executed by CGI (specified in httpd.conf) Is this in someway possible?
