From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com.>
To: <bugtraq@securityfocus.com.>, <ntbugtraq@listserv.ntbugtraq.com.>
Subject: Oracle DBMS_ASSERT and the October 2005 CPU
Date: Tue, 8 Nov 2005 16:57:07 -0000
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: antivirus-gw at tyumen.ru
Whilst there are problems with the Oracle October 2005 Critical Patch
Update, it's not all bad news....
There is a great deal of evidence in this patch that Oracle are beginning to
treat security properly. They've introduced a new package PL/SQL package
DBMS_ASSERT into the RDBMS. Whilst DBMS_ASSERT was first released as part of
the new10g Release 2 it has been packported. Oracle use this package to
sanitize user input to help prevent SQL injection. As this package has not
been documented NGSResearch have done so aqs we feel that third-party Oracle
app developers could benefit by using the package. This, and other papers,
can be found at http://www.ngssoftware.com/papers.htm .
Cheers,
The NGSResearch Team
