Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Bypassing Oracle dbms_assert
From: "David Litchfield" <davidl () ngssoftware com>
Date: Fri, 28 Jul 2006 05:42:24 +0100

Today I released a new whitepaper "Bypassing Oracle dbms_assert".
<SNIP>
Oracle has no problem with the release of this information
("Oracle sees no problem with your publication of the
white paper.")

The reason Oracle sees no problem with the release of the paper is that for your technique to work the DBMS_ASSERT.QUALIFIED_SQL_NAME has to be used in the wrong context; you simply wouldn't use QUALIFIED_SQL_NAME in this manner - i.e. within quotes. I've just had a quick look through the SYS packages and find no instance of DBMS_ASSERT.QUALIFIED_SQL_NAME being used this way. If there is such a case, in other words I've missed it, then it would be a flaw in the package/procedure/function itslef and not a problem with DBMS_ASSERT - with the fix being to use the correct DBMS_ASSERT function instead of QUALIFIED_SQL_NAME or alternatively use a bind variable.

Cheers,
David





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]