Server side includes in https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation leads to 500 server error and D-DOS

**Summary:** Improper sanitizing of input in one of the input forms in https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation leads to server side include that causes a 500 internal server error and a possible denial of service. **Description:** After login in to semmle , in other to update you personal information a post request is being sent to the endpoint https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation. inputing the following payload as the value of the location field causes a 500 server error ## Steps To Reproduce 1. login to semmle 2. goto account settings page 3. fill the form and hit save 4. trap the request with proxy like burp 5. enter the payload <!--#config timefmt="A %B %d %Y %r"--> as the value for location so the body of the form looks like this: {F350625} ## Supporting Material/References: {F350626} ## Impact A user could send a more harmful command to the server and cause the server to be unavailable for other users, also after entering that payload i could no long access https://lgtm.com.pentesting.semmle.net/settings . it kept on loading forever .