Authentication fails when username contains specific characters.

Alan DeKok aland at deployingradius.com
Sat Jan 5 18:20:17 CET 2019


On Jan 5, 2019, at 11:43 AM, Izumi <hatosaburepoppo at gmail.com> wrote:
> I understood the following two points now.
> ・using special characters in user names cause SQL injection attacks.
> ・I must not use special characters in user names.

  Yes.

> By the way, Is "using special characters in passwords" danger against
> SQL injection attacks? (e.g. Eddy)
> You do not mention about the "using special characters in passwords".
> +----+----------+--------------------+----+-------------------------------+
> | id | username | attribute          | op | value                         |
> +----+----------+--------------------+----+-------------------------------+
> |  6 | Eddy     | Cleartext-Password | := | !#$%&()*+,-./:;<=>?@[]^_`{|}~ |
> +----+----------+--------------------+----+-------------------------------+

  That is data being *read* from SQL.  So there is no possibility for injection attacks.

>>  Don't do that.  We document the information we need.  You get told what information we need when you join the mailing list.
> 
> I am sorry. I do not understand what you are trying to say.
> I think that I have already joined the mailing list.
> Could it be that you are saying about that files which I attached?
> If so, I will be careful from now on.

  When you join the mailing list, you get an email.  That email tells you what information you should include in posts to the list.

  Alan DeKok.




More information about the Freeradius-Users mailing list