View Shtml Patched -

In 2019, a large Midwest university discovered that their legacy alumni portal—running an unpatched version of Apache 1.3 from 2002—still had the view.shtml endpoint active. A penetration tester found that by sending:

GET /alumni/view.shtml?page=../../../conf/server.conf<!--#exec cmd="cat /etc/shadow" -->

They could retrieve password hashes.

The fix was a textbook "view shtml patched" procedure: view shtml patched

The vulnerability was closed within 48 hours. The lesson: Legacy does not mean irrelevant. In 2019, a large Midwest university discovered that

The OWASP CRS includes rules 932100-932180 specifically for SSI injection. They could retrieve password hashes

If you don’t need SSI, remove the handler:

RemoveHandler server-parsed .shtml
RemoveType application/x-httpd-php .shtml

Then move all .shtml files to .html and pre-process them statically.