Authentication fails when username contains specific characters.

Izumi hatosaburepoppo at gmail.com
Sat Jan 5 17:43:58 CET 2019


Thank you very much for your reply.

2019年1月5日(土) 3:55 Alan DeKok <aland at deployingradius.com>:
>
> On Jan 4, 2019, at 3:35 AM, Izumi <hatosaburepoppo at gmail.com> wrote:
> > Authentication fails when the username contains the next 23 characters.
> > (like Andy1 and Burt1)
> > 23 chars -> !#$%&()*+,;<=>?[]^`{|}~
>
>   What's happening is that the server is protecting you from SQL injection attacks.
>
>   See:  /mods-config/sql/main/mysql/queries.conf
>
>   And the "safe_characters" configuration option.  You can list more characters there, but your users will then be able to "own" your SQL database.
>
> > However, the authentication not fail when the password contains that 23
> > characters. (like Eddy)
> > What do I need to do to solve the problem of Andy1 and Burt1 ?
>
>   Don't use special characters in user names.

I understood the following two points now.
・using special characters in user names cause SQL injection attacks.
・I must not use special characters in user names.
By the way, Is "using special characters in passwords" danger against
SQL injection attacks? (e.g. Eddy)
You do not mention about the "using special characters in passwords".
+----+----------+--------------------+----+-------------------------------+
| id | username | attribute          | op | value                         |
+----+----------+--------------------+----+-------------------------------+
|  6 | Eddy     | Cleartext-Password | := | !#$%&()*+,-./:;<=>?@[]^_`{|}~ |
+----+----------+--------------------+----+-------------------------------+

>
> > I read debug output and tried Andy2 and Burt2. (Enter equals sign and ASCII
> > code in Hex (e.g. '=2B' for '+'))
> > I found out that it will succeed in authentication, but is there any other
> > solution ?
> > Do I have to do this conversion each time I add a user ?
> >
> > I attached .bash_history and all files that may be useful.
>
>   Don't do that.  We document the information we need.  You get told what information we need when you join the mailing list.

I am sorry. I do not understand what you are trying to say.
I think that I have already joined the mailing list.
Could it be that you are saying about that files which I attached?
If so, I will be careful from now on.

>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Regards,
Izumi



More information about the Freeradius-Users mailing list