Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 158174

Summary: design flaw: webalizer uses $PWD/webalizer.conf as default.
Product: Red Hat Enterprise Linux 4 Reporter: Florian Brand <florian.brand>
Component: webalizerAssignee: Joe Orton <jorton>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-04 07:40:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Florian Brand 2005-05-19 11:47:33 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041215 Firefox/1.0 Red Hat/1.0-12.EL4

Description of problem:
webalizer tries to open it's config file from the current working directory.
If it doesn't find a config file there it opens /etc/webalizer.conf

So it is dependent of your location in the filesystem what is executed.
I consider this a security flaw. (imagine an intruder places a webalizer.conf in /tmp and root executes:
host /tmp # /usr/bin/webalizer

In addition to that: I discovered this behaviour when one of my students executed webalizer in /etc/httpd/conf.d/. In this directory there is Apache's webalizer.conf file.

It is not technically a bug, since webalizer works as described in the man-page.
I suggest to change the behaviour of webalizer to open $HOME/.webalizer.conf instead of $PWD/webalizer.conf before defaulting to /etc/webalizer.conf.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. cd /etc/httpd/conf.d/
2. /usr/bin/webalizer

Actual Results:  webalizer hangs because of a syntax error

Expected Results:  webalizer uses /etc/webalizer.conf

Additional info:

do we have a priority Security/Low ?

Comment 1 Joe Orton 2005-09-14 14:19:00 UTC
I think it would be reasonable to at least check that the owner/group of the
file found in the pwd matches the effective uid/group, but not to change the
documented behaviour of loading $PWD/webalizer.conf.

Comment 2 Joe Orton 2005-10-04 07:40:18 UTC
This problem is resolved in the next release of Red Hat Enterprise Linux. Red
Hat does not currently plan to provide a resolution for this in a Red Hat
Enterprise Linux update for currently deployed systems.