I'd vote for at least replacing Options Includes with IncludesNoExec while it might not ban the risk entirely there should be a hint that it is dangerous to use/make available to customers. http://httpd.apache.org/docs/2.4/misc/security_tips.html#ssi didn't test <--#include virtual="..." --> thing yet but I do see a lot of ppl installing some random piece of garbage software telling or at least leading them to chmod 777 just everything which ... yeah could be found by other hosts using some file traversel. Think of uploading custom-program-doing-traversel-and-stuff which sits in customers /var/www/foo-lder so suexec runs it without complaining et voila success I was able to tamper with that poor customer. Since I usually work in trusted/isolated environments never thought 'bout that but it's a serious issue. It works only trough ssi-exec though, running that php-script for example => nope doesn't work ... uhm yeah cgi-bin executing arbritary code same thing likely.
