In association with heise online

28 July 2006, 14:06

Hole in Oracle security module

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The database security specialist Alexander Kornbrust has published a report informing on a hole in DBMS_ASSERT, an Oracle package to validate user entries. The initial version of this package was implemented with version Oracle 10g Release 2 to protect from SQL injection attacks; since patch day in October 2005, it has also been available for Oracle 8.1.7.4 to 10.1.0.5.

Due to an error, protection can be bypassed by specifying certain parameters in double quotes, which permits SQL injections . According to Kornbrust, this re-opens a number of Oracle security holes, which had allegedly been closed since patch day in July. They affect Oracle versions from 8.1.7.4 up to and including 10.2.0.2. In April 2006, Kornbrust informed Oracle on this problem. A patch has not been provided. The vendor told Kornbrust that Oracle has no problem with information on this hole being published.

See also:

(ju)

Print Version | Send by email | Permalink: http://h-online.com/-731290
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit