FreeRadius replaces characters in '%{User-Password}' after upgrade 3.0.16->3.0.19

Alan DeKok aland at deployingradius.com
Thu Jul 18 13:21:08 CEST 2019


On Jul 18, 2019, at 2:51 AM, belyj at belyj.eu wrote:
> ...
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id
> 
> echo "User-Name="p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=",NAS-Identifier=nas-here" | radclient 127.0.0.1 auth testing123
> 
> same with username %{User-Name}, default install just enabled sql module

  The SQL module has always performed character escaping.  I'm not sure what changed, if anything.

  The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf

  Alan DeKok.




More information about the Freeradius-Users mailing list