FreeRadius replaces characters in '%{User-Password}' after upgrade 3.0.16->3.0.19
Alan DeKok
aland at deployingradius.com
Thu Jul 18 13:21:08 CEST 2019
On Jul 18, 2019, at 2:51 AM, belyj at belyj.eu wrote:
> ...
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id
>
> echo "User-Name="p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=",NAS-Identifier=nas-here" | radclient 127.0.0.1 auth testing123
>
> same with username %{User-Name}, default install just enabled sql module
The SQL module has always performed character escaping. I'm not sure what changed, if anything.
The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf
Alan DeKok.
More information about the Freeradius-Users
mailing list