Some time ago, I submitted the below security issue, and I wanted to know when
the next release was due that (hopefully) fixed the issue(!?!?)
-Ben
> If I know a valid password for any
> account, I can get in with a username of "*", and the valid password.
>
> Passwords
Well I changed the sql query to be case sensitive. That has stop the
problem, however, I can't find anything in the portslave config to cause
it to drop the "R".
I am moving this thread to the portslave list.
Thanks for everyones input.
Alan DeKok wrote:
>
> Robert Canary <[EMAIL PROTECTED]> w
On Mon, Feb 10, 2003 at 10:19:22AM -0600, Robert Canary wrote:
> When mysql is queried for that password aginst that username (regardless
> of case) it returns a match because MySql isn't case sensitive. Thats
> something which should be boldly noted in the dos.
Not necessarily. "MySql isn't case
On Sun, 9 Feb 2003 19:55, Robert Canary wrote:
> Let say I have a username of "rcanary". The account is created on the
> radius (MySql DB) as UserName=rcanary
>
> Now lets say I try to dialin (using portslave here in this case). I
> mistype the username as *R*canary instead of *r*canary.
> The RA
Robert Canary <[EMAIL PROTECTED]> wrote:
> Now here is the odd thing I noticed. PPPD logs the the user as
> "Rcanary" as being logged on, However, utmps and priveldges the user as
> "canary".
Then either PPPd or the RADIUS server is stripping off the leading
'R'.
The server doesn't do it unl
When mysql is queried for that password aginst that username (regardless
of case) it returns a match because MySql isn't case sensitive. Thats
something which should be boldly noted in the dos.
Now here is the odd thing I noticed. PPPD logs the the user as
"Rcanary" as being logged on, However,
Robert Canary <[EMAIL PROTECTED]> wrote:
> Now lets say I try to dialin (using portslave here in this case). I
> mistype the username as *R*canary instead of *r*canary.
> The RAS is case sensitive. However, radius is allowing the Rcanary and
> rcanary.
So run the server in debugging mode, to s
Hello Robert,
Sunday, February 9, 2003, 9:55:20 PM, you wrote:
RC> Let say I have a username of "rcanary". The account is created on the
RC> radius (MySql DB) as UserName=rcanary
RC> Now lets say I try to dialin (using portslave here in this case). I
RC> mistype the username as *R*canary inste
Let say I have a username of "rcanary". The account is created on the
radius (MySql DB) as UserName=rcanary
Now lets say I try to dialin (using portslave here in this case). I
mistype the username as *R*canary instead of *r*canary.
The RAS is case sensitive. However, radius is allowing the Rcan