Package: freeradius
Version: 1.0.2-3
Severity: wishlist
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In /src/modules/rlm_sql/rlm_sql.c there are few possible problems (IMHO).
Please disregard the message if you disagree.
In sql_escape_func (line 406) there is a loop with special break condition
in line 414 ("if (outlen <= 1)"), which is fine unless we have three (3) or
less characters available and input character needs escaping (with =XX). In
this case this loop causes minor buffer overflow (few characters). As output
buffer is huge, this should not be easily exploitable problem.
The other three problems are in lines 520, 1152, 1196 where radius_xlat is
called for generation of sql query for execution. It's called without escape
function (NULL), which is afterwards replaced with simple copy. As this
queries may contain reference to user supplied data (username ...), this may
result in SQL injection. This is also hard to exploit as user has to be
authenticated already before any of these sql statements can get executed.
Primoz Bratanic
- -- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages freeradius depends on:
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime
ii libltdl3 1.5.6-6 A system independent dlopen wrappe
ii libpam0g 0.76-22 Pluggable Authentication Modules l
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCeVPhHOuqnSwJthERAvvhAKCS917GnwK+t9W6mqUCznfxeuKEygCffDbT
S9UM07PrA9Sfl1OPq2vsVb4=
=HaZ7
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
