Problem when trying to store NAS-Port-ID into radpostauth table

Antônio Modesto modesto at
Fri Sep 17 15:14:19 CEST 2021

On 16/09/2021 17:40, Alan DeKok wrote:
> On Sep 16, 2021, at 4:32 PM, Antônio Modesto <modesto at> wrote:
>>  From our application I don't think that it is possible. Only if the attacker pretended to be a known NAS server. Do you have any other suggestion?
>    If you change the list of allowed characters, it is changed for ALL of the attributes.  Not just NAS-Port-Id.  For example, someone could log in with a User-Name which exploits this issue.  They don't even have to have an account, or even the correct password.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

That's really a problem. I did some tests and I don't think it is 
possible to do sql injection without allowing a single quote in 
safe_characters. Am I missing something?

Att, *Antônio Modesto*

More information about the Freeradius-Users mailing list