Hello Antonio -
This has been discussed on the list a number of times, and my suggestion has
always been to set up a special Handler to catch any illegal characters in user
names and reject those requests out of hand.
Have a look at the archive site:
http://www.starport.net/~radiator
regards
Hugh
On Sat, 21 Oct 2000, Antonio Jos� Ant�n wrote:
> Hi all,
>
> This morning we adviced that if a user has a login name like
> user'other-text'@realm,
> when Radiator makes a query to mySQL, fails with an error like:
>
> ERR: Execute failed for 'select NASIDENTIFIER, NASPORT
> , ACCTSESSIONID from RADONLINE where USERNAME='user'other-text''':
> Something is wrong in your syntax near 'other-text''' in line 1
>
> The problem appear when you insert a single quote (') in the username.
> In the manual, you say that with the command RewriteUsername, we can
> remove any
> character from a username.
>
> I have few questions:
>
> -RewriteUsername is a intensive CPU operation?
> -Do you know other "prohibited" characters with mySQL?
> -Can anybody exploit Radiator with malformed usernames or do a DoS
> attack?
>
> Thanks,
> Anton
>
>
>
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
