dbms_assert vulnerability

  • From: "Jared Still" <jkstill@xxxxxxxxx>
  • To: "Oracle-L Freelists" <oracle-l@xxxxxxxxxxxxx>
  • Date: Thu, 27 Jul 2006 09:10:20 -0700


Dear newsletter reader

Today I relased a new whitepaper "Bypassing Oracle dbms_assert". This
technique makes many already fixed
Oracle vulnerabilities (SQL Injection) exploitable again.


Summary: By using specially crafted parameters (in double quotes) it is possible to bypass the input validation of the security package dbms_assert and inject SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable in all versions of Oracle again ( -, fully patched with Oracle CPU July 2006). I informed Oracle about this problem end of April 2006 and informed Oracle about some bugs + exploits.

-- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts:

  • » dbms_assert vulnerability