FreeRadius replaces characters in '%{User-Password}' after upgrade 3.0.16->3.0.19
Hello. After upgrade from 3.0.16 to 3.0.19 freeradius is replacing characters in mysql queries. (76475085) Tue Jul 16 16:16:06 2019: Debug: Received Access-Request Id 54 from length 126 (76475085) Tue Jul 16 16:16:06 2019: Debug: NAS-Identifier = "XXXX" (76475085) Tue Jul 16 16:16:06 2019: Debug: User-Password = "p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=" query ... xxx.value = '%{User-Password}' AND ... (76475085) Tue Jul 16 16:16:06 2019: Debug: sql3: Executing select query: SELECT ... xxx.value = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' AND ... \+ is replaced and =3D added at the end. `p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=` `p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D` radiusd: FreeRADIUS Version 3.0.19 (git #1156b5361), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.0.19 On 3.0.16 same config, same query, password is not changed. Any help would be appreciated. Andrzej
Please share the entire debug output
On 17 Jul 2019, at 08:41, belyj@belyj.eu wrote:
Hello.
After upgrade from 3.0.16 to 3.0.19 freeradius is replacing characters in mysql queries.
(76475085) Tue Jul 16 16:16:06 2019: Debug: Received Access-Request Id 54 from length 126 (76475085) Tue Jul 16 16:16:06 2019: Debug: NAS-Identifier = "XXXX" (76475085) Tue Jul 16 16:16:06 2019: Debug: User-Password = "p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw="
query
... xxx.value = '%{User-Password}' AND ...
(76475085) Tue Jul 16 16:16:06 2019: Debug: sql3: Executing select query: SELECT ... xxx.value = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' AND ...
\+ is replaced and =3D added at the end.
`p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=`
`p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D`
radiusd: FreeRADIUS Version 3.0.19 (git #1156b5361), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.0.19
On 3.0.16 same config, same query, password is not changed.
Any help would be appreciated.
Andrzej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(0) Received Access-Request Id 161 from 127.0.0.1:37025 to 127.0.0.1:1812 length 76 [50/862] (0) User-Name = "p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=" (0) NAS-Identifier = "nas-here" (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw= (0) sql: SQL-User-Name set to 'p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=' rlm_sql (sql): Reserved connection (0) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id echo "User-Name="p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=",NAS-Identifier=nas-here" | radclient 127.0.0.1 auth testing123 same with username %{User-Name}, default install just enabled sql module On 2019-07-17 16:58, Jorge Pereira wrote:
Please share the entire debug output
On 17 Jul 2019, at 08:41, belyj@belyj.eu wrote:
Hello.
After upgrade from 3.0.16 to 3.0.19 freeradius is replacing characters in mysql queries.
(76475085) Tue Jul 16 16:16:06 2019: Debug: Received Access-Request Id 54 from length 126 (76475085) Tue Jul 16 16:16:06 2019: Debug: NAS-Identifier = "XXXX" (76475085) Tue Jul 16 16:16:06 2019: Debug: User-Password = "p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw="
query
... xxx.value = '%{User-Password}' AND ...
(76475085) Tue Jul 16 16:16:06 2019: Debug: sql3: Executing select query: SELECT ... xxx.value = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' AND ...
\+ is replaced and =3D added at the end.
`p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=`
`p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D`
radiusd: FreeRADIUS Version 3.0.19 (git #1156b5361), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.0.19
On 3.0.16 same config, same query, password is not changed.
Any help would be appreciated.
Andrzej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 18, 2019, at 2:51 AM, belyj@belyj.eu wrote:
... (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id
echo "User-Name="p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=",NAS-Identifier=nas-here" | radclient 127.0.0.1 auth testing123
same with username %{User-Name}, default install just enabled sql module
The SQL module has always performed character escaping. I'm not sure what changed, if anything. The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf Alan DeKok.
On 18/07/2019 12:21, Alan DeKok wrote:
The SQL module has always performed character escaping. I'm not sure what changed, if anything.
The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf
Is using parameterised queries instead anywhere on the roadmap?
On 18-07-19 14:48, Dom Latter wrote:
On 18/07/2019 12:21, Alan DeKok wrote:
The SQL module has always performed character escaping. I'm not sure what changed, if anything.
The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf
Is using parameterised queries instead anywhere on the roadmap?
https://github.com/FreeRADIUS/freeradius-server/issues/830 There is an issue to do it, but it looks like nobody had any time to fix it. Meanwhile, Postgresql and Mysql have an option driver_specific_escape that uses driver specific escapes and should fix the problem. It was introduced pretty recently, so I guess 3.0.19 should have it available. (Other drivers can be rewritten to include a specific include as well, it's just that nobody ever did that). -- Herwin Weststrate
On 18/07/2019 13:55, Herwin Weststrate wrote:
Meanwhile, Postgresql and Mysql have an option driver_specific_escape that uses driver specific escapes and should fix the problem. It was introduced pretty recently, so I guess 3.0.19 should have it available.
Thanks Herwin, I will look into that.
On Jul 18, 2019, at 8:55 AM, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
https://github.com/FreeRADIUS/freeradius-server/issues/830
There is an issue to do it, but it looks like nobody had any time to fix it.
We've made some good progress, but only in the "master" branch. The goal is to automatically split the SQL queries into "safe" and "unsafe" bits. But that involves tracking the safety of expansions recursively. Which then changes all kinds of things. It's just easier to do it in v4.
Meanwhile, Postgresql and Mysql have an option driver_specific_escape that uses driver specific escapes and should fix the problem. It was introduced pretty recently, so I guess 3.0.19 should have it available. (Other drivers can be rewritten to include a specific include as well, it's just that nobody ever did that).
That's the best approach for v3. Alan DeKok.
On 18/07/2019 15:16, Alan DeKok wrote:
On Jul 18, 2019, at 8:55 AM, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
Meanwhile, Postgresql and Mysql have an option driver_specific_escape that uses driver specific escapes and should fix the problem. It was introduced pretty recently, so I guess 3.0.19 should have it available. (Other drivers can be rewritten to include a specific include as well, it's just that nobody ever did that).
That's the best approach for v3.
How about stored procedures?
participants (5)
-
Alan DeKok -
belyj@belyj.eu -
Dom Latter -
Herwin Weststrate -
Jorge Pereira