Bypassing Oracle dbms_assert Jul 27 2006 04:16PM
ak red-database-security com (1 replies)
Re: Bypassing Oracle dbms_assert Jul 28 2006 04:42AM
David Litchfield (davidl ngssoftware com) (1 replies)
RE: Bypassing Oracle dbms_assert Jul 28 2006 01:52PM
Alexander Kornbrust (ak red-database-security com) (1 replies)
Re: Bypassing Oracle dbms_assert Jul 28 2006 02:20PM
David Litchfield (davidl ngssoftware com)
> I never claimed that dbms_assert is insecure nor do I recommend using
> dbms_assert in this (insecure) way with three consecutive quotes. My
> samples show only the generic concept of bypassing dbms_assert.

Sorry to be pedantic but this is not a generic way (concept) of bypassing
dbms_assert. Your method works only in those cases where the developer has
misunderstood how to use DBMS_ASSERT and used the incorrect function. That's
not a generic bypass technique for DBMS_ASSERT, imho. What you've found are
simply flaws in the way the developer has attempted to sanitize user input.
A generic bypass techinque for DBMS_ASSERT would work in all cases - even
where the package is being used correctly. For example, passing the name of
a VIEW as a parameter which calls nefarious functions could be employed as a
bypass technique - but even this has its problems.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus