dbms_assert vulnerability

• From: "Jared Still" <jkstill@xxxxxxxxx>
• To: "Oracle-L Freelists" <oracle-l@xxxxxxxxxxxxx>
• Date: Thu, 27 Jul 2006 09:10:20 -0700

FYI
---------------------------------------------------

Dear newsletter reader

Today I relased a new whitepaper "Bypassing Oracle dbms_assert". This
technique makes many already fixed
Oracle vulnerabilities (SQL Injection) exploitable again.

URL:
http://www.red-database-security.com/wp/bypass_dbms_assert.pdf

Summary:
By using specially crafted parameters (in double quotes) it is possible to
bypass the input validation of the security package dbms_assert and inject
SQL code. This makes dozens of already fixed Oracle vulnerabilities
exploitable
in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with
Oracle
CPU July 2006). I informed Oracle about this problem end of April 2006 and
informed
Oracle about some bugs + exploits.

--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts:

• » dbms_assert vulnerability

1. Home
2. oracle-l
3. Archive
4. 07-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---