16 Sep
2021
16 Sep
'21
4:40 p.m.
On Sep 16, 2021, at 4:32 PM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
From our application I don't think that it is possible. Only if the attacker pretended to be a known NAS server. Do you have any other suggestion?
If you change the list of allowed characters, it is changed for ALL of the attributes. Not just NAS-Port-Id. For example, someone could log in with a User-Name which exploits this issue. They don't even have to have an account, or even the correct password. Alan DeKok.