Problem when trying to store NAS-Port-ID into radpostauth table
Antônio Modesto
modesto at hubsoft.com.br
Fri Sep 17 16:23:12 CEST 2021
On 17/09/2021 10:51, Alan DeKok wrote:
> On Sep 17, 2021, at 9:14 AM, Antônio Modesto <modesto at hubsoft.com.br> wrote:
>> That's really a problem. I did some tests and I don't think it is possible to do sql injection without allowing a single quote in safe_characters. Am I missing something?
> Backslashes? Various other things? You'll have to investigate your particular database in detail to see what's possible.
>
> We've listed what we know is safe. Anything else is potentially dangerous.
>
> Alan DeKok.
That's true. I will need to replace every ";" in the NAS-Port-Id
attribute with another character, "/" for example. Do you know how can I
do that without using the "%{sub:" function? (Not all my servers have
the proper version to use that already)
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Att, *Antônio Modesto*
More information about the Freeradius-Users
mailing list