(RADIATOR) Username/Password hacking while using AuthBy SQL

Rodrigo Nuno Bragança da Cunha rodrigo.cunha at corp.vodafone.pt
Fri Dec 5 14:25:53 CST 2003


I'm using AuthBy SQL to authenticate user/passwd against an OTP session 
database, and everything is working just fine, but today I noticed a 
problem: what if a malicious user sets his username and/or password for 
something containing special SQL codes, like ', or ", etc...?

Well, I tried and it worked as expected: malicious queries can be done 
that way.

The question is: how do I solve that? RewriteUsername won't work for 
passwords... and also for accounting... the same problem exists.



Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list