Network Security: Detailed info on Re: Bypassing Oracle dbms

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

Re: Bypassing Oracle dbms_assert

from [David Litchfield] Network Security

[Permanent Link]

Subject:	Re: Bypassing Oracle dbms_assert
Date:	Fri, 28 Jul 2006 05:42:24 +0100

Today I released a new whitepaper "Bypassing Oracle dbms_assert".

<SNIP>

Oracle has no problem with the release of this information
("Oracle sees no problem with your publication of the
white paper.")

The reason Oracle sees no problem with the release of the paper is that for your technique to work the DBMS_ASSERT.QUALIFIED_SQL_NAME has to be used in the wrong context; you simply wouldn't use QUALIFIED_SQL_NAME in this manner - i.e. within quotes. I've just had a quick look through the SYS packages and find no instance of DBMS_ASSERT.QUALIFIED_SQL_NAME being used this way. If there is such a case, in other words I've missed it, then it would be a flaw in the package/procedure/function itslef and not a problem with DBMS_ASSERT - with the fix being to use the correct DBMS_ASSERT function instead of QUALIFIED_SQL_NAME or alternatively use a bind variable.

Cheers,
David

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Bypassing Oracle dbms_assert, ak Re: Bypassing Oracle dbms_assert, David Litchfield <= RE: Bypassing Oracle dbms_assert, Alexander Kornbrust Re: Bypassing Oracle dbms_assert, David Litchfield

Previous by Date:	[Full-disclosure] [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released, William A. Rowe, Jr.
Next by Date:	[OpenPKG-SA-2006.015] OpenPKG Security Advisory (apache), OpenPKG
Previous by Thread:	Bypassing Oracle dbms_assert, ak
Next by Thread:	RE: Bypassing Oracle dbms_assert, Alexander Kornbrust
Indexes:	[Date] [Thread] [Top] [All Lists]