TUCoPS :: Oracle :: b06-3886.htm

Bypassing Oracle dbms_assert
Bypassing Oracle dbms_assert
Bypassing Oracle dbms_assert


Hey all,=0D
=0D
Today I released a new whitepaper "Bypassing Oracle dbms_assert". This technique makes many already fixed Oracle vulnerabilities (SQL Injection) exploitable again.=0D
=0D
URL:=0D
http://www.red-database-security.com/wp/bypass_dbms_assert.pdf =0D 
 =0D
Summary:=0D
By using specially crafted parameters (in double quotes) it is possible to =0D
bypass the input validation of the security package dbms_assert and inject =0D
SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with Oracle CPU July 2006). I informed Oracle about this problem end of April 2006. Oracle has no problem with the release of this information (=93Oracle sees no problem with your publication of the white paper.=94)=0D
=0D
=0D
 Kind Regards=0D
=0D
 Alexander Kornbrust=0D
=0D
 Red-Database-Security GmbH=0D
http://www.red-database-security.com=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH