FreeRadius XMLRPC admin password



  • When using '$' in a password for the admin login on sync slaves,
    the web interface of the FreeRadius package seem to consume '$' and all following characters.
    In my case until it found a '?' later in the password.
    Works perfectly in UserManager and CARP.

    Isn't that a security hole in the 'GUI Admin Password' field ?

    Also the password is saved clear text in the config.xml.
    Shouldn't it be encrypted ?



  • @qwertz:

    the web interface of the FreeRadius package seem to consume '$' and all following characters.

    The code is interpreting it as a php var.

    @qwertz:

    Also the password is saved clear text in the config.xml.
    Shouldn't it be encrypted ?

    Encrypt your backup files to keep it safe.
    xmlrpc code needs to authenticate on remote system and AFAIK this is the only way to do that on current pfsense code.

    There is a new sync gui that uses system sync settings to push config to slave box, but I think it's no applied to Freeradius yet.



  • @marcelloc:

    The code is interpreting it as a php var.

    Isn't it possible then to inject unwanted code here ?

    @marcelloc:

    Encrypt your backup files to keep it safe.
    xmlrpc code needs to authenticate on remote system and AFAIK this is the only way to do that on current pfsense code.

    There is a new sync gui that uses system sync settings to push config to slave box, but I think it's no applied to Freeradius yet.

    OK, so will change password.
    Thx.



  • @qwertz:

    Isn't it possible then to inject unwanted code here ?

    It's a good question and may need some tests but IIRC, there is a limit om password fields(that may limit injection code) and on normal use, only admins has access to pfsense gui.



  • @qwertz:

    Also the password is saved clear text in the config.xml.
    Shouldn't it be encrypted ?

    It can't be securely.
    http://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml%3F


Log in to reply