Name SQL Injection in package SYS.DBMS_STATS (6980751) [DB21] Systems Oracle 10g Release 1 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory 18 Jul 2006 (V 1.00) Advisory ######## http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_stats.html Details ####### The package SYS.DBMS_STATS contains a SQL injection vulnerability. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information ################# Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ####### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-jul-2006 Oracle published CPU July 2006 [DB21] 18-jul-2006 Advisory published Additional Information ###################### An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.