(RADIATOR) Username/Password hacking while using AuthBy SQL
Rodrigo Nuno Bragança da Cunha
rodrigo.cunha at corp.vodafone.pt
Fri Dec 5 14:25:53 CST 2003
Hi!
I'm using AuthBy SQL to authenticate user/passwd against an OTP session
database, and everything is working just fine, but today I noticed a
problem: what if a malicious user sets his username and/or password for
something containing special SQL codes, like ', or ", etc...?
Well, I tried and it worked as expected: malicious queries can be done
that way.
The question is: how do I solve that? RewriteUsername won't work for
passwords... and also for accounting... the same problem exists.
Thanks,
Rodrigo
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list