Bugtraq mailing list archives
Re: Bypassing Oracle dbms_assert
From: "David Litchfield" <davidl () ngssoftware com>
Date: Fri, 28 Jul 2006 15:20:50 +0100
I never claimed that dbms_assert is insecure nor do I recommend usingdbms_assert in this (insecure) way with three consecutive quotes. My PL/SQLsamples show only the generic concept of bypassing dbms_assert.
Sorry to be pedantic but this is not a generic way (concept) of bypassing dbms_assert. Your method works only in those cases where the developer has misunderstood how to use DBMS_ASSERT and used the incorrect function. That's not a generic bypass technique for DBMS_ASSERT, imho. What you've found are simply flaws in the way the developer has attempted to sanitize user input. A generic bypass techinque for DBMS_ASSERT would work in all cases - even where the package is being used correctly. For example, passing the name of a VIEW as a parameter which calls nefarious functions could be employed as a bypass technique - but even this has its problems.
Cheers, David
Current thread:
- Bypassing Oracle dbms_assert ak (Jul 27)
- Re: Bypassing Oracle dbms_assert David Litchfield (Jul 28)
- RE: Bypassing Oracle dbms_assert Alexander Kornbrust (Jul 28)
- Re: Bypassing Oracle dbms_assert David Litchfield (Jul 28)
- RE: Bypassing Oracle dbms_assert Alexander Kornbrust (Jul 28)
- Re: Bypassing Oracle dbms_assert David Litchfield (Jul 28)