Rodrigo- If I understand you correctly, you are concerned that someone may insert some characters or even SQL statements into the password in order to launch some sort of attack against your database. I think the root of your issue is the fact that you want to include the password in the queries, that opens up any number of potential security issues including the one you have described here.
Lots of people use Radiator and allow users to have more than one session. Maybe if you described in more detail exactly what you are trying to accomplish by including the password in the query someone on the list might have in interesting solution. If you have an end user that is using CHAP authentication they are never going to send the password to you so it would be impossible to use it in a query. If you are plugging potential security loopholes I'm sure you are not letting people authenticate using PAP are you? Of course you could always do your own password character set checking in a hook before sending the query out if you are so inclined. -Frank -----Original Message----- From: Rodrigo Nuno Bragan�a da Cunha [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:25 AM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Username/Password hacking while using AuthBy SQL Hugh Irvine wrote: > > Hello Rodrigo - > > You can use the UsernameCharset parameter to restrict the characters > in the username. > > See section 6.4.30 in the Radiator 3.7.1 reference manual. > > As far as the password is concerned, this field is only read from the > database and the comparison is done inside Radiator. > Well... it works, but is not enought. Won't work for SQL logging, for instance. Also I need the password in the SQL query itself because there can be various active and valid sessions for the same username, and a query without password might return many valid sessions. So the password is exploitable also. Perhaps a "PasswordCharset" clause would work :-) The Charset should apply to auth logging also, right? I'm sending the configuration file. It works fine as is, except with malicious username/passwords ... > NB: have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > Here goes the trace, including the SQL syntax errors, witch could be exploited. Thanks for the help! Tue Dec 9 12:08:22 2003: DEBUG: Finished reading configuration file '/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg' Tue Dec 9 12:08:22 2003: DEBUG: Reading dictionary file '/home/radius/Radiator-3.7.1/dictionary' Tue Dec 9 12:08:22 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Dec 9 12:08:22 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Tue Dec 9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on radius-vpn.vf-pt.internal.vodafone.com Tue Dec 9 12:08:25 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 32784 .... Code: Access-Request Identifier: 10 Authentic: 1234567890123456 Attributes: User-Name = "norte'gregwe" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>" Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Dec 9 12:08:25 2003: INFO: Access rejected for norte'gregwe: Invalid character in User-Name Tue Dec 9 12:08:25 2003: DEBUG: do query is: 'INSERT INTO accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for username norte'gregwe' )': DBD::mysql::db do failed: You have an error in your SQL syntax near 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219. Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for username norte'gregwe' )': You have an error in your SQL syntax near 'gregwe' )' at line 1 DBD::mysql::db do failed: You have an error in your SQL syntax near 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219. Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for username norte'gregwe' )': You have an error in your SQL syntax near 'gregwe' )' at line 1 Tue Dec 9 12:08:25 2003: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 32784 .... Code: Access-Reject Identifier: 10 Authentic: 1234567890123456 Attributes: Reply-Message = "Request Denied" Tue Dec 9 12:08:25 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 32784 .... Code: Accounting-Request Identifier: 11 Authentic: <201>T'<190><194><144><135>CW(<239><150>=~*m Attributes: User-Name = "norte'gregwe" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Dec 9 12:08:30 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 32784 .... Code: Accounting-Request Identifier: 12 Authentic: u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f Attributes: User-Name = "norte'gregwe" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 20000 Acct-Output-Octets = 30000 Tue Dec 9 12:08:30 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
