[41096] in bugtraq
Oracle DBMS_ASSERT and the October 2005 CPU
daemon@ATHENA.MIT.EDU (NGSSoftware Insight Security Resea)
Tue Nov 8 12:48:00 2005
Message-ID: <001401c5e485$749740a0$2500a8c0@ngssoftware.com>
From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>
Date: Tue, 8 Nov 2005 16:57:07 -0000
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
Whilst there are problems with the Oracle October 2005 Critical Patch
Update, it's not all bad news....
There is a great deal of evidence in this patch that Oracle are beginning to
treat security properly. They've introduced a new package PL/SQL package
DBMS_ASSERT into the RDBMS. Whilst DBMS_ASSERT was first released as part of
the new10g Release 2 it has been packported. Oracle use this package to
sanitize user input to help prevent SQL injection. As this package has not
been documented NGSResearch have done so aqs we feel that third-party Oracle
app developers could benefit by using the package. This, and other papers,
can be found at http://www.ngssoftware.com/papers.htm .
Cheers,
The NGSResearch Team
