6 matches found
Oracle Database dbms_assert Filter Bypass (CVE-2006-5340)
Oracle Database Server is an enterprise-level relational database application suite. To extend the functionality of the Oracle Database Server, extra packages of related program objects, i.e. procedures, functions, variables, constants, cursors, and exceptions, are provided in order to better...
Bypassing DBMS_ASSERT in certain situations
DBMSASSERT can be used to prevent PL/SQL injection. In certain cases it can be bypassed. This is documented in a paper I wrote in July 2008 but am only publishing now: http://www.databasesecurity.com/oracle/Bypassing-DBMSASSERT.pdf Cheers, David Litchfield NGSSoftware Ltd...
Bypassing Oracle dbms_assert
Hey all, Today I released a new whitepaper "Bypassing Oracle dbmsassert". This technique makes many already fixed Oracle vulnerabilities SQL Injection exploitable again. URL: http://www.red-database-security.com/wp/bypassdbmsassert.pdf Summary: By using specially crafted parameters in double quot...
Oracle Database - SQL Injection in SYS.DBMS_CDC_IMPDP [DB01]
Name SQL Injection in package SYS.DBMSCDCIMPDP 6980711 DB01 Systems Oracle 10g Release 1 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust ak at red-database-security.com Advisory 18 Jul 2006 V 1.00 Details The package SYS.DBMSCDCIMPDP contains...
[Full-disclosure] SQL Injection in package SYS.DBMS_LOGMNR_SESSION
Name SQL Injection in package SYS.DBMSLOGMNRSESSION Systems Affected Oracle Database Severity Medium Risk Category SQL Injection DB06 Vendor URL http://www.oracle.com/ Author Alexander Kornbrust ak at red-database-security.com Advisory 18 April 2006 V 1.00 Oracle Bugid 6980723 Details The package...
Oracle DBMS_ASSERT and the October 2005 CPU
Whilst there are problems with the Oracle October 2005 Critical Patch Update, it's not all bad news.... There is a great deal of evidence in this patch that Oracle are beginning to treat security properly. They've introduced a new package PL/SQL package DBMSASSERT into the RDBMS. Whilst DBMSASSER...