Hi All,
The problem with stripping out single quotes has been fixed. AuthBy SQL now
escapes quotes and similar characters. I have attached a fixed version of
AuthSQL.pm for Radiator 2.15, and also uploaded it to the 2.15 patches area.
Thanks to all concerned for pointing this out.
Cheers.
On Apr 22, 10:30am, Hugh Irvine wrote:
> Subject: *IMPORTANT* Re: (RADIATOR) Oh Dear - Possible Authentication Bug
>
> Hello Brian -
>
> On Sat, 22 Apr 2000, Brian Morris wrote:
> > I have not investigated this too far yet but I thought it important enough
> > to alert others of it now...
> >
> > I have discovered a fault in the setup of /our/ Radiator configuration
where
> > users may successfully authenticate to our SQL database with an INVALID
> > username.
> >
> > The error occurs when the user places an apostrophy somewhere in their
> > username - even though there is not one in their user record on our system,
> > Radiator will still let them in. (eg: Username johnsmith logs in as
> > johnsmit'h )
> >
> > The accounting record is written as johnsmit'h so effectively the user does
> > not get billed for their usage.
> >
> > We use the standard rewriteusername to strip the realm (RewriteUsername
> > s/^([^@]+).*/$1/ ) so something could be put into there to strip
> > apostrophies as well but this is not really a 'solution' (Anyone want to
> > supply one for now anyway?)
> >
> > For reference our authselect looks something like this ... AuthSelect
> > select PASSWORD from SUBSCRIBERS where USERNAME='%n'
> >
> > I thought that others may also want to know about this.
> >
>
> Hmmmm - yes. The routine Radius::AuthSQL::findUser does indeed strip single
> quotes out of the username string as a defence mechanism:
>
> # Now might be a good time to make sure there are no bogus
> # characters in the user name, else the select statment could get
> # confused. Special offenders are ' and ). Both together in a
> # username can make MSSQL hang.
> $name =~ s/'//g;
>
> This is why you are seeing the problem.
>
> If you simply wish to Reject users who might mistakenly type their username
in
> this way, you could do something like this:
>
> # configuration to Reject users who type single quotes ("'") in their
username
> # add something like this to your existing configuration
>
> <AuthBy FILE>
> Identifier RejectUsers
> Filename %D/reject-users
> </AuthBy>
>
> <Handler User-Name = /'/>
> AuthBy RejectUser
> </Handler>
>
> # if you are currently using Realms, change them to Handlers
> # <Realm .....> -> <Handler Realm = ....>
>
> .....
>
> and in the file %D/reject-users
>
> # file %D/reject-users
>
> DEFAULT Auth-Type = Reject
>
>
> Thanks for pointing this out - we will add a note to the AuthBy SQL section
of
> the manual indicating this behaviour.
>
> regards
>
> Hugh
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
>
>
>-- End of excerpt from Hugh Irvine
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
2000, NT, MacOS X
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
