SSI Injection
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.

Before serving an HTML web page, a web server may parse and execute Server-side Include statements before providing it to the user. In some cases (e.g. message boards, guest books, or content management systems), a web application will insert user-supplied data into the source of a web page.

If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served. Example
The following SSI tag can allow an attacker to get the root directory listing on a UNIX based system.

< !--#exec cmd="/bin/ls /" -- >

The following SSI tag can allow an attacker to obtain database connection strings, or other sensitive data contained within a .NET configuration file.

<!--#INCLUDE VIRTUAL="/web.config"-->

References

"Server Side Includes (SSI)" - NCSA HTTPd
http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html

"Security Tips for Server Configuration" - Apache HTTPD
http://httpd.apache.org/docs/misc/security_tips.html#ssi

"Header Based Exploitation: Web Statistical Software Threats" - CGISecurity.com
http://www.cgisecurity.net/papers/header-based-exploitation.txt

"A practical vulnerability analysis"
http://hexagon.itgo.com/Notadetapa/a_practical_vulnerability_analys.htm