Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 158174 - design flaw: webalizer uses $PWD/webalizer.conf as default.
Summary: design flaw: webalizer uses $PWD/webalizer.conf as default.
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: webalizer
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-19 11:47 UTC by Florian Brand
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-10-04 07:40:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Florian Brand 2005-05-19 11:47:33 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041215 Firefox/1.0 Red Hat/1.0-12.EL4

Description of problem:
webalizer tries to open it's config file from the current working directory.
If it doesn't find a config file there it opens /etc/webalizer.conf

So it is dependent of your location in the filesystem what is executed.
I consider this a security flaw. (imagine an intruder places a webalizer.conf in /tmp and root executes:
host /tmp # /usr/bin/webalizer

In addition to that: I discovered this behaviour when one of my students executed webalizer in /etc/httpd/conf.d/. In this directory there is Apache's webalizer.conf file.

It is not technically a bug, since webalizer works as described in the man-page.
I suggest to change the behaviour of webalizer to open $HOME/.webalizer.conf instead of $PWD/webalizer.conf before defaulting to /etc/webalizer.conf.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. cd /etc/httpd/conf.d/
2. /usr/bin/webalizer

Actual Results:  webalizer hangs because of a syntax error

Expected Results:  webalizer uses /etc/webalizer.conf

Additional info:

do we have a priority Security/Low ?

Comment 1 Joe Orton 2005-09-14 14:19:00 UTC
I think it would be reasonable to at least check that the owner/group of the
file found in the pwd matches the effective uid/group, but not to change the
documented behaviour of loading $PWD/webalizer.conf.

Comment 2 Joe Orton 2005-10-04 07:40:18 UTC
This problem is resolved in the next release of Red Hat Enterprise Linux. Red
Hat does not currently plan to provide a resolution for this in a Red Hat
Enterprise Linux update for currently deployed systems.

Note You need to log in before you can comment on or make changes to this bug.