dbms_assert vulnerability


Dear newsletter reader

Today I relased a new whitepaper "Bypassing Oracle dbms_assert". This
technique makes many already fixed
Oracle vulnerabilities (SQL Injection) exploitable again.


Summary: By using specially crafted parameters (in double quotes) it is possible to bypass the input validation of the security package dbms_assert and inject SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable in all versions of Oracle again ( -, fully patched with Oracle CPU July 2006). I informed Oracle about this problem end of April 2006 and informed Oracle about some bugs + exploits.

-- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts:

  • » dbms_assert vulnerability