Hi,
if you are using SQLite with GnuGk, you should be aware of a possible
SQL injection attack.
Don't take this lightly! It means that somebody who is only be able
to send you a Setup message can delete or alter your internal
database, even when your authentication mechanism rejects the call!
So if you are using SQLite, you should either switch to the latest CVS
code or fix all your SQL statements to only use single-quotes for
literals. Using double-quotes may compromise the security of your
gatekeeper.
Example:
[SQLAuth]
Driver=SQLite
Database=/foo/gnugk.db
; VULNERABLE !!!
; CallQuery=SELECT active from user where name="%{Calling-Station-Id}"
; OK
CallQuery=SELECT active from user where name='%{Calling-Station-Id}'
Regards,
Jan
--
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan@xxxxxxxxxxxxxx
Website: http://www.gnugk.org
Support: http://www.willamowius.com/gnugk-support.html
Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________________
Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/
