Bug 60402

Summary: ScriptAlias works as Alias when mod_cgi is not load
Product: Apache httpd-2 Reporter: Victor Porton <porton>
Component: mod_aliasAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.10   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Victor Porton 2016-11-22 16:59:17 UTC 
ScriptAlias works as if it were Alias when mod_cgi is not load.

This is a security hole as the visitor receives access to CGI files (which may contain passwords and other secret information), when mod_cgi is not load by mistake.

Instead ScriptAlias should fail with an error when mod_cgi isn't load.

Apache/2.4.10 (Debian)