I have not investigated this too far yet but I thought it important enough
to alert others of it now...
I have discovered a fault in the setup of /our/ Radiator configuration where
users may successfully authenticate to our SQL database with an INVALID
username.
The error occurs when the user places an apostrophy somewhere in their
username - even though there is not one in their user record on our system,
Radiator will still let them in. (eg: Username johnsmith logs in as
johnsmit'h )
The accounting record is written as johnsmit'h so effectively the user does
not get billed for their usage.
We use the standard rewriteusername to strip the realm (RewriteUsername
s/^([^@]+).*/$1/ ) so something could be put into there to strip
apostrophies as well but this is not really a 'solution' (Anyone want to
supply one for now anyway?)
For reference our authselect looks something like this ... AuthSelect
select PASSWORD from SUBSCRIBERS where USERNAME='%n'
I thought that others may also want to know about this.
Happy Easter!
Brian Morris
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
