Hi Justin,
we have seen similar problem before, mostly with Ciscos. The typical thing
to do is to apply a global RewriteUsername to strip out the noise
characters. I think you will find an example in the radius.cfg in the
distribution.
Cheers.
----------------------------------------------------------------------------
---------------
Mike McCauley [EMAIL PROTECTED]
Open System Consultants +61 3 9598 0985
Mike is travelling right now, and there may be delays
in our correspondence.
-----Original Message-----
From: Justin Daminato <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, March 01, 1999 11:40 AM
Subject: (RADIATOR) SQL curiosities..
>
>Morning,
>
>It's interesting to note that radiator will pass a username request into
>the SQL database without escaping special characters.. for example:
>
>Sun Feb 28 23:00:36 1999: ERR: Prepare failed for 'select NAS_IP_Address,
>NAS_Port, Acct_Session_ID from IRAD.RADONLINE where
>Username='ep:}$&/={z;r'jg+p%gbn'':
> ORA-01756: quoted string not properly terminated (DBD ERROR:
>OCIStmtPrepare)
>
>(We have a fair few of these in our logs... I am suspecting they are due
>to Ciscos autoselect during-login not working as desired in some
>circumstances).
>
>While these occurances in themselves are no more than an annoyance, it
>would seem possible for a sufficiently savy malicious person to be able to
>manipulate the sql statement to do bad things. Am I just being paranoid?
>
>Justin
>
>
>===
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
>
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
