In association with heise online

27 November 2006, 19:40

Noxious injection for GNU Radius

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

As reported by iDefense, the GNU Radius authentication service fails to adequately filter user entries, allowing an attacker to inject SQL commands. These can be used to execute arbitrary system commands on the server in the context of the radius service - typically a root user. Versions 1.2 and 1.3 are affected and probably older versions, where Accounting is activated in the SQL database - which, according to the security bulletin, is the case for the FreeBSD and Gentoo systems tested. The error is in the SQL database accounting code, where the sqllog function is passed an unchecked parameter. The developers have released version 1.4, which contains a bug fix along with a number of other changes.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit