TekRADIUS SQL注入及不安全权限漏洞

CVECAN ID: CVE-2009-2357,CVE-2009-2358,CVE-2009-2359 TekRadius是一个免费的RADIUS服务器，可以支持RFC 2865和RFC 2866规范。 1 TekRADIUS的默认配置使用sa账号与Microsoft SQL Server通讯，远程攻击者可以相对较容易的获得对数据库的特权访问。 2 TekRADIUS将数据库凭据存储在了C:\Program Files\TekRADIUS\TekRADIUS.ini文件中。任何Windows本地用户都可以访问这个文件，读取加密了的凭据。 3...

Design/Logic Flaw

TekRADIUS 3.0 uses BUILTIN\Users:R permissions for the TekRADIUS.ini file, which allows local users to obtain obfuscated database credentials by reading this file...

CVE-2009-2358

TekRADIUS 3.0 uses BUILTIN\Users:R permissions for the TekRADIUS.ini file, which allows local users to obtain obfuscated database credentials by reading this file...