Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13658
HistoryJul 28, 2006 - 12:00 a.m.

Bypassing Oracle dbms_assert

2006-07-2800:00:00
vulners.com
8
JSON

Hey all,

Today I released a new whitepaper "Bypassing Oracle dbms_assert". This technique makes many already fixed Oracle vulnerabilities (SQL Injection) exploitable again.

URL:
http://www.red-database-security.com/wp/bypass_dbms_assert.pdf

Summary:
By using specially crafted parameters (in double quotes) it is possible to
bypass the input validation of the security package dbms_assert and inject
SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with Oracle CPU July 2006). I informed Oracle about this problem end of April 2006. Oracle has no problem with the release of this information (β€œOracle sees no problem with your publication of the white paper.”)

Kind Regards

Alexander Kornbrust

Red-Database-Security GmbH
http://www.red-database-security.com

JSON