Hi All, Hopefully a quick one, is the SQL module still susceptible to SQL injection in version 3.2.1 of FreeRADIUS? I was having a look through implementing some anti SQL injection measures since I found a security notification on the FreeRADIUS site for it, but given that it is quite an old notification, is this still required? If it is, are there any recommended measures? Kind regards, Connor
On Sep 19, 2024, at 4:10 AM, Connor Herring <connorrjherring@gmail.com> wrote:
Hopefully a quick one, is the SQL module still susceptible to SQL injection in version 3.2.1 of FreeRADIUS? I was having a look through implementing some anti SQL injection measures since I found a security notification on the FreeRADIUS site for it, but given that it is quite an old notification, is this still required? If it is, are there any recommended measures?
You're worried about a report from 2005? And one which says that the issue has been fixed? Ok... Alan DeKok.
Hi Alan, I hadn't seen it saying it had been fixed. Aside from enabling auto-escape is there much else to be concerned about in relation to SQL injection? Kind regards, Connor On Thu, Sep 19, 2024 at 12:13 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 19, 2024, at 4:10 AM, Connor Herring <connorrjherring@gmail.com> wrote:
Hopefully a quick one, is the SQL module still susceptible to SQL injection in version 3.2.1 of FreeRADIUS? I was having a look through implementing some anti SQL injection measures since I found a security notification on the FreeRADIUS site for it, but given that it is quite an old notification, is this still required? If it is, are there any recommended measures?
You're worried about a report from 2005? And one which says that the issue has been fixed?
Ok...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 19, 2024, at 7:18 AM, Connor Herring <connorrjherring@gmail.com> wrote:
I hadn't seen it saying it had been fixed. Aside from enabling auto-escape is there much else to be concerned about in relation to SQL injection?
The issue says: Two vulnerabilities in the SQL module exist in all versions prior to 1.0.3. Sites not using the SQL module are not affected by this issue. However, we still recommend that all sites upgrade to version 1.0.3. So... is it fixed in 1.0.3 or not? As for other attacks, do you expect that we ship the server with known attacks that we don't care about? Alan DeKok.
Hi Alan, I was purely interested in what measures FreeRADIUS had built in to mitigate SQL injection attacks to understand whether an administrator would need to implement anything themselves for the same reason. Kind regards, Connor On Thu, Sep 19, 2024 at 12:23 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 19, 2024, at 7:18 AM, Connor Herring <connorrjherring@gmail.com> wrote:
I hadn't seen it saying it had been fixed. Aside from enabling auto-escape is there much else to be concerned about in relation to SQL injection?
The issue says:
Two vulnerabilities in the SQL module exist in all versions prior to 1.0.3. Sites not using the SQL module are not affected by this issue. However, we still recommend that all sites upgrade to version 1.0.3.
So... is it fixed in 1.0.3 or not?
As for other attacks, do you expect that we ship the server with known attacks that we don't care about?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Connor Herring