Morning,
It's interesting to note that radiator will pass a username request into
the SQL database without escaping special characters.. for example:
Sun Feb 28 23:00:36 1999: ERR: Prepare failed for 'select NAS_IP_Address,
NAS_Port, Acct_Session_ID from IRAD.RADONLINE where
Username='ep:}$&/={z;r'jg+p%gbn'':
ORA-01756: quoted string not properly terminated (DBD ERROR:
OCIStmtPrepare)
(We have a fair few of these in our logs... I am suspecting they are due
to Ciscos autoselect during-login not working as desired in some
circumstances).
While these occurances in themselves are no more than an annoyance, it
would seem possible for a sufficiently savy malicious person to be able to
manipulate the sql statement to do bad things. Am I just being paranoid?
Justin
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
