« Flash Worm - SANS Analysis | Main | Apache.org Compromised via stolen SSH keys »

Article: Bypassing DBMS_ASSERT in certain situations

David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible.

From the whitepaper

"The DBMS_ASSERT builtin package can be used by PL/SQL developers to protect
against SQL injection attacks[1]. In [2] Alex Kornbrust showed that there are certain
cases where the use of the DBMS_ASSERT.QUALIFIED_SQL_NAME function can be
unintentionally misused by developers in such a way that SQL injection is still possible.
Alex's attack showed a way to break out of a quoted string to inject arbitrary SQL. This
paper discusses another scenario where using the same function can still allow an attacker
to inject arbitrary SQL. The problem arises when the QUALIFIED_SQL_NAME
function is used to validate a column name in a select list or where clause for example.
Multiple instances of this scenario have been found and reported to Oracle."

Read more: http://www.databasesecurity.com/oracle/Bypassing-DBMS_ASSERT.pdf


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!