-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:13 PM 7/21/2002, Weaver, Woody wrote: >I don't think that applies, as long as the machine wasn't a computer owned >by the US government, wasn't a protected computer (accessible to the public >is probably good cause), and there was no intent to defraud or extort. I thought the same thing when I re-read the law... I've seen it referenced several times, and have read over it several times previously, but w/o being a lawyer, it is hard to tell to what degree they could apply it to different scenarios. But when they throw in vague wording such as "exceeding authorized access" or "intent" and blah, blah, blah, it really opens it up for varied interpretation. I guess my point of view is that the developer is explicitly allowing a user to submit a query. If he does not sanitize user input, then they are "allowing" me to submit the query as I wish- in this case, changing the logic to ['bicycle' or 1=1]. I don't think that anyone would go to the trouble of trying to prosecute for this type of SQL injection, particularly since there is no "damage" or anything, but what do you do when I do ['bicycle' union select name,password from sysxlogins--] ? It is really the same thing, and there are still no damages, but there is a far greater potential for abuse. What I guess I was really looking for was a response from a lawyer who said "Yes, someone did this and we nailed their butt" or "Yes, someone did this and there was really nothing we could do about it- see Smith vs BigCorp" or something along those lines. To me, SQL Injection is a different animal-- no port scanning, no direct vulnerability exploitation, and not even uploading stuff (unless you want to, of course) and you can still get to everything you want. When the developer uses "UID=SA;PWD=" in the damn connection string, then they would have a hard time saying that I exceeded authorization, you know? So, it looks like we are where we normally are with this sort of thing- nobody really knows until the law is tested. Thanks to all for the responses. Have a good one- Cheers- AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPTsaiohsmyD15h5gEQI1HwCdFd+f4KKy7E6QP70v+VoJbIRk1G4AnA7s HlYsYHMAqdhiTd+TgizMKOyM =GT9I -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 07:24:50 PDT