Invalid IncludesNOEXEC option processing allows code execution via included .shtml files.
vulners.com/securityvulns/securityvulns:doc:21917