Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> dbms_assert vulnerability

dbms_assert vulnerability

From: Jared Still <jkstill_at_gmail.com>
Date: Thu, 27 Jul 2006 09:10:20 -0700
Message-ID: <bf46380607270910j68cf97c0rdcf2a33fd74c0028@mail.gmail.com> 





FYI






Dear newsletter reader



Today I relased a new whitepaper "Bypassing Oracle dbms_assert". This
technique makes many already fixed


Oracle vulnerabilities (SQL Injection) exploitable again.



URL:



http://www.red-database-security.com/wp/bypass_dbms_assert.pdf




Summary:


By using specially crafted parameters (in double quotes) it is possible to
bypass the input validation of the security package dbms_assert and inject
SQL code. This makes dozens of already fixed Oracle vulnerabilities
exploitable


in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with
Oracle


CPU July 2006). I informed Oracle about this problem end of April 2006 and
informed


Oracle about some bugs + exploits.




-- 



Jared Still


Certifiable Oracle DBA and Part Time Perl Evangelist



--



http://www.freelists.org/webpage/oracle-l
Received on Thu Jul 27 2006 - 11:10:20 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US