Java Mailing List Archive

http://www.dba.5341.com/

Home » Home (12/2007) » oracle l »

dbms_assert vulnerability

Jared Still

2006-07-27


FYI
---------------------------------------------------

Dear newsletter reader

Today I relased a new whitepaper "Bypassing Oracle dbms_assert". This technique makes many already fixed
Oracle vulnerabilities (SQL Injection) exploitable again.

URL:
http://www.red-database-security.com/wp/bypass_dbms_assert.pdf


Summary:
By using specially crafted parameters (in double quotes) it is possible to
bypass the input validation of the security package dbms_assert and inject
SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable
in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with Oracle
CPU July 2006). I informed Oracle about this problem end of April 2006 and informed
Oracle about some bugs + exploits.


--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
©2008 dba.5341.com - Jax Systems, LLC, U.S.A.