(RADIATOR) Username/Password hacking while using AuthBy SQL
Hugh Irvine
hugh at open.com.au
Fri Dec 5 16:50:42 CST 2003
Hello Rodrigo -
You can use the UsernameCharset parameter to restrict the characters in
the username.
See section 6.4.30 in the Radiator 3.7.1 reference manual.
As far as the password is concerned, this field is only read from the
database and the comparison is done inside Radiator.
regards
Hugh
On 06/12/2003, at 7:25 AM, Rodrigo Nuno Bragança da Cunha wrote:
> Hi!
>
> I'm using AuthBy SQL to authenticate user/passwd against an OTP
> session database, and everything is working just fine, but today I
> noticed a problem: what if a malicious user sets his username and/or
> password for something containing special SQL codes, like ', or ",
> etc...?
>
> Well, I tried and it worked as expected: malicious queries can be done
> that way.
>
> The question is: how do I solve that? RewriteUsername won't work for
> passwords... and also for accounting... the same problem exists.
>
> Thanks,
>
> Rodrigo
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list