From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020310
Description of problem:
This notice is from securiteam.com:
Remote Buffer Overflow in Webalizer (DNS Resolve)
The Webalizer is a fast, free web server log file analysis program. It produces
highly detailed, easily configurable usage reports in HTML format, for viewing
with a standard web browser. A security vulnerability in the product allows
attackers to cause the program to crash causing it to execute arbitrary code.
Webalizer version 2.01-09
Webalizer version 2.01-06
The Webalizer has the ability to perform reverse DNS lookups. This ability is
disabled by default, but if enabled, an attacker with control over his DNS
service, has the ability to gain remote root access to a machine, due to a
buffer overflow in the reverse resolving code.
(NOTE: Webalizer version 2.01-06 is part of Red Hat Linux 7.2 distribution,
enabled by default and run daily by the cron daemon.)
The information has been provided by Spybreak.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use webalizer
Actual Results: I have not confirmed the buffer overflow, however the advisory
states that RH 7.2 is vulnerable.
could you please give a testcase, how to reproduce this bug. Thanks
Is this the same problem as the one outlined on
Sounds alike (and this is supposed to be fixed in -09, if you're still seeing
this problem in -09, please provide a sample exploit or any other hint on why
you think it's still a problem).
It is the same.
Brad just released webalizer-2.01-10 which fixes it. From his bugtraq post:
Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT)
From: Bradford L. Barrett <email@example.com>
To: Franck Coppola <firstname.lastname@example.org>
Cc: Spybreak <email@example.com>, firstname.lastname@example.org,
Subject: Re: Remote buffer overflow in Webalizer
> Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).
Bad fix.. while it will prevent the buffer from overflowing (which I still
fail to see how can be used to execute a 'root' exploit, even with a LOT
of imagination), but will cause the buffer to be filled with a non-null
terminated string which will do all sorts of nasty things to your output,
not to mention wreak havoc on the stats since you are cutting off the
domain portion, not the hostname part, and adding random garbage at the
Anyway, Version 2.01-10 has been released, which fixes this and a few
other buglets that have been discovered in the last month or so. Get it
at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org
or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites
2.01-10 in rawhide.