From the doc: 'This program exploits two holes in 'statsconfig.pl', a cgi script which is installed by default by OmniHTTPd v2.07 (and possibly older versions). Any file on the system may be corrupted, including those on drives the server does not reside on. Code can be injected into '/cgi-bin/stats.pl'. The absolute path to the the 'cgi-bin' must already be known.'