By Chris Kessler:

Apache, in newer releases, has changed the include strings in the configuration to allow 'include_once', the current configuration only filters 'include' and 'load_module', its the same bug i submitted some time ago. Another thing to watch, is that nginx now supports dynamic modules and nginx-based servers running 1.11.5 and later are vulnerable now as well. The catch on this bug, is that you must know how to compile an apache/nginx module AND that debian is still shipping nginx 1.6.2 in the repo's (at least that's what my servers have)