RE: SQL Injection Legalities

From: darrell@cpp.com
Date: 07/17/02

Previous message: Alfred Huger: "Announcement"
Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
Next in thread: Joe: "RE: SQL Injection Legalities"
Next in thread: Michael Deyo: "RE: SQL Injection Legalities"
Reply: Joe: "RE: SQL Injection Legalities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: darrell@cpp.com
To: Thor@HammerofGod.com, PEN-TEST@SECURITYFOCUS.COM
Date: Wed, 17 Jul 2002 11:01:53 -0700

Check out

http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/47/sectio
ns/section_1030.html

I think you'll find your answer

US Title 18: Part I: Chapter 47, Section 1030

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
Sent: Wednesday, July 17, 2002 9:48 AM
To: Pen-Test
Subject: SQL Injection Legalities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I hesitate asking the group about law, but here goes:

Lets say a site gives you the capability to search their product-base via a
web input box. You know, the standard search/submit deal.

You type in "bicycle" and it gives you everything that starts with
"bicycle." Simple enough. As we all know, web app susceptibility to SQL
injects runs amok; lets say in this case that instead of typing "bicycle,"
I type "bicycle' or 1=1--" and get all the products. Have I broken the
law? More specifically, have I broken the law in the US?

One could argue that the site is allowing me to specify what I want to see,
and all I am doing is typing in what I want... Though the developer may
not have intended for me to pull up the data like that, does my doing so
constitute a crime?

I'm not looking for ethical or moral debate here, I am hoping someone has
some distinct legal experience who knows. Thanks.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Previous message: Alfred Huger: "Announcement"
Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
Next in thread: Joe: "RE: SQL Injection Legalities"
Next in thread: Michael Deyo: "RE: SQL Injection Legalities"
Reply: Joe: "RE: SQL Injection Legalities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: SQL Injection Legalities
... would fall under state law. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
Re: faster scans? (nmap)
... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
Re: pen test help please asap
... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)
Re: ettercap help
... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)
RE: CFM SQL injection
... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)