I am not a lawyer, but I do remember reading an article that used a very similar example. I believe this is illegal in California and I would not be surprised to hear that it's illegal in Oregon. Most likely this depends on the state, probably the state in which the server resides. I too am interested in hearing from a lawyer if there is on one this list. D. Joe Royer II, CCNA, CISSP On Wed, 17 Jul 2002, Deus, Attonbitus wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I hesitate asking the group about law, but here goes: > > Lets say a site gives you the capability to search their product-base via a > web input box. You know, the standard search/submit deal. > > You type in "bicycle" and it gives you everything that starts with > "bicycle." Simple enough. As we all know, web app susceptibility to SQL > injects runs amok; lets say in this case that instead of typing "bicycle," > I type "bicycle' or 1=1--" and get all the products. Have I broken the > law? More specifically, have I broken the law in the US? > > One could argue that the site is allowing me to specify what I want to see, > and all I am doing is typing in what I want... Though the developer may > not have intended for me to pull up the data like that, does my doing so > constitute a crime? > > I'm not looking for ethical or moral debate here, I am hoping someone has > some distinct legal experience who knows. Thanks. > > AD > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 09:13:08 PDT