Hello Froilan,
On Apr 22, 10:51am, Froilan Mendoza wrote:
> Subject: Re: (RADIATOR) Oh Dear - Possible Authentication Bug
>
> On Sat, 22 Apr 2000, Brian Morris wrote:
>
> > The error occurs when the user places an apostrophy somewhere in their
> > username - even though there is not one in their user record on our system,
> > Radiator will still let them in. (eg: Username johnsmith logs in as
> > johnsmit'h )
> >
> > The accounting record is written as johnsmit'h so effectively the user does
> > not get billed for their usage.
>
> And I thought it was just our external auth program.
The problem would only have affected AuthBy SQL, so I dont think it would have
had an impact on external authentication?
Cheers.
>
> Actually, what I noticed was that if they use a string of random
> characters other than [a-z], [0-9], [-], [_], they are being allowed.
> Among the successful logins were accounts with more than 15 characters,
> and those with characters other than those allowed.
>
> We only discovered it about two weeks ago, so you can imagine how many
> successful logins were made without being accounted. Tsktsk. What I did
> was pruned the username strings to its barest minimum, removing all
> characters which are not allowed and THEN check our database for auth and
> acct purposes.
>
> RewriteUsername tr/[A-Z]/[a-z]/
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/0-9|a-z|\-|_//cd
>
> Seemed to work. Whereas ours pops were usually 95% full, it went down to
> at most 85%.
>
>
>
>
> Sincerely,
>
> Froilan C. Mendoza
> Manager - Systems Management
> Tridel Technologies, Inc.
> http://www.tridel.net
>
>
>
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Froilan Mendoza
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
2000, NT, MacOS X
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
