Date: 27 Jul 2006 16:16:01 -0000
From: [email protected]
To: [email protected]Subject: Bypassing Oracle dbms_assert
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hey all,
Today I released a new whitepaper "Bypassing Oracle dbms_assert". This technique makes many already fixed Oracle vulnerabilities (SQL Injection) exploitable again.
URL:
http://www.red-database-security.com/wp/bypass_dbms_assert.pdf
Summary:
By using specially crafted parameters (in double quotes) it is possible to
bypass the input validation of the security package dbms_assert and inject
SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with Oracle CPU July 2006). I informed Oracle about this problem end of April 2006. Oracle has no problem with the release of this information (⌠Oracle sees no problem with your publication of the white paper.■)
Kind Regards
Alexander Kornbrust
Red-Database-Security GmbH
http://www.red-database-security.com
