>>>>> "Josh" == Josh Howlett <[log in to unmask]> writes:
Josh> Is there scope for an SQL injection attack from an upstream
Josh> AAA client or proxy using the naming attributes? Obviously
Josh> we're already trusting the AAA client or proxy to provide true
Josh> values, but an SQL attack could potentially cause quite a bit
Josh> of damage beyond masquerading as another acceptor.
Josh> Josh.
Well, we're not quite trusting the RP proxy to provide true values; only
true values within the constraints.
Josh> Limited, a not-for-profit company which is registered in
Josh> England under No. 2881024 and whose Registered Office is at
Josh> Lumen House, Library Avenue, Harwell Oxford, Didcot,
Josh> Oxfordshire. OX11 0SG. VAT No. 614944238
we were planning on writing the code to avoid the SQL injection attack,
although yes it would be possible to support that attack if we're not
careful with the SQL.
Of somewhat more concern is managing to avoid a Freeradius unlang xlat
attack or similar.
Freeradius sometimes trusts content read from SQL more than you might
like.
I was planning to review our approach and make sure we adequately
restrict the inputs and adequately escape.
|