RE: SQL Injection Legalities

From: darrellat_private
Date: Wed Jul 17 2002 - 11:01:53 PDT

Next message: John Madden: "HTTP server used as proxy ?"

Previous message: Alfred Huger: "Announcement"
Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
Next in thread: Joe: "RE: SQL Injection Legalities"
Next in thread: Michael Deyo: "RE: SQL Injection Legalities"
Reply: Joe: "RE: SQL Injection Legalities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Check out

http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/47/sectio
ns/section_1030.html

I think you'll find your answer

US Title 18: Part I: Chapter 47, Section 1030


-----Original Message-----
From: Deus, Attonbitus [mailto:Thorat_private]
Sent: Wednesday, July 17, 2002 9:48 AM
To: Pen-Test
Subject: SQL Injection Legalities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I hesitate asking the group about law, but here goes:

Lets say a site gives you the capability to search their product-base via a 
web input box.  You know, the standard search/submit deal.

You type in "bicycle" and it gives you everything that starts with 
"bicycle."  Simple enough.  As we all know, web app susceptibility to SQL 
injects runs amok; lets say in this case that instead of typing "bicycle," 
I type "bicycle' or 1=1--" and get all the products.  Have I broken the 
law?  More specifically, have I broken the law in the US?

One could argue that the site is allowing me to specify what I want to see, 
and all I am doing is typing in what I want...  Though the developer may 
not have intended for me to pull up the data like that, does my doing so 
constitute a crime?

I'm not looking for ethical or moral debate here, I am hoping someone has 
some distinct legal experience who knows.  Thanks.

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: John Madden: "HTTP server used as proxy ?"
Previous message: Alfred Huger: "Announcement"
Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
Next in thread: Joe: "RE: SQL Injection Legalities"
Next in thread: Michael Deyo: "RE: SQL Injection Legalities"
Reply: Joe: "RE: SQL Injection Legalities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 08:30:47 PDT