Network Security: Detailed info on Re: Bypassing Oracle dbms

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Bugtraq

[Top] [All Lists]

Re: Bypassing Oracle dbms_assert

from [David Litchfield] Network Security

[Permanent Link]

Subject:	Re: Bypassing Oracle dbms_assert
Date:	Fri, 28 Jul 2006 15:20:50 +0100

I never claimed that dbms_assert is insecure nor do I recommend using dbms_assert in this (insecure) way with three consecutive quotes. My PL/SQL samples show only the generic concept of bypassing dbms_assert.

Sorry to be pedantic but this is not a generic way (concept) of bypassing dbms_assert. Your method works only in those cases where the developer has misunderstood how to use DBMS_ASSERT and used the incorrect function. That's not a generic bypass technique for DBMS_ASSERT, imho. What you've found are simply flaws in the way the developer has attempted to sanitize user input. A generic bypass techinque for DBMS_ASSERT would work in all cases - even where the package is being used correctly. For example, passing the name of a VIEW as a parameter which calls nefarious functions could be employed as a bypass technique - but even this has its problems. Cheers, David

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Bypassing Oracle dbms_assert, ak Re: Bypassing Oracle dbms_assert, David Litchfield RE: Bypassing Oracle dbms_assert, Alexander Kornbrust Re: Bypassing Oracle dbms_assert, David Litchfield <=

Previous by Date:	RE: Bypassing Oracle dbms_assert, Alexander Kornbrust
Next by Date:	Re: [Full-disclosure] Oracle 10g R2 and, probably, all previous versions, rjamya
Previous by Thread:	RE: Bypassing Oracle dbms_assert, Alexander Kornbrust
Next by Thread:	Xss in MttKe-php v2.6, R0t-K33Y
Indexes:	[Date] [Thread] [Top] [All Lists]