Or, more commonly, a path traversal combined with SSI injection:
Unlike a static .html file, which the server sends directly to the client, an .shtml file is parsed by the web server before delivery. If the server finds specific directives (e.g., <!--#echo var="DATE_LOCAL" --> or <!--#include virtual="header.html" --> ), it executes them. view shtml patched
A also eliminated directory traversal. It would canonicalize the path (resolve ../ sequences) and ensure the requested file resided within the web root or a designated includes directory. Or, more commonly, a path traversal combined with
Worse, some servers allowed exec or cmd directives. An attacker could inject: !--#echo var="DATE_LOCAL" -->
If you are working with a "patched" version of a system, ensure the following: