-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base via a web input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want to see, and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv ANJ4aOg8vjqGS5JSZK2V5Hyt =nm/7 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 10:48:36 PDT