Re: SQL Injection Legalities

• Previous message: Michael Deyo: "RE: SQL Injection Legalities"
• In reply to: Deus, Attonbitus: "SQL Injection Legalities"
• Next in thread: Weaver, Woody: "RE: SQL Injection Legalities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Jul 2002 18:11:38 -0500 (CDT)
From: Quickfinger <junk@quickfinger.com>
To: "Deus, Attonbitus" <Thor@HammerofGod.com>

I am not a lawyer, but I do remember reading an article that used a
very similar example. I believe this is illegal in California and I
would not be surprised to hear that it's illegal in Oregon. Most
likely this depends on the state, probably the state in which the
server resides.

I too am interested in hearing from a lawyer if there is on one this
list.

D. Joe Royer II, CCNA, CISSP

On Wed, 17 Jul 2002, Deus, Attonbitus wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I hesitate asking the group about law, but here goes:
>
> Lets say a site gives you the capability to search their product-base via a
> web input box. You know, the standard search/submit deal.
>
> You type in "bicycle" and it gives you everything that starts with
> "bicycle." Simple enough. As we all know, web app susceptibility to SQL
> injects runs amok; lets say in this case that instead of typing "bicycle,"
> I type "bicycle' or 1=1--" and get all the products. Have I broken the
> law? More specifically, have I broken the law in the US?
>
> One could argue that the site is allowing me to specify what I want to see,
> and all I am doing is typing in what I want... Though the developer may
> not have intended for me to pull up the data like that, does my doing so
> constitute a crime?
>
> I'm not looking for ethical or moral debate here, I am hoping someone has
> some distinct legal experience who knows. Thanks.
>
> AD
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Previous message: Michael Deyo: "RE: SQL Injection Legalities"
• In reply to: Deus, Attonbitus: "SQL Injection Legalities"
• Next in thread: Weaver, Woody: "RE: SQL Injection Legalities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: SQL Injection Legalities ... would fall under state law. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: SQL Injection Legalities ... I hesitate asking the group about law, ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: Bway Vocal Score ... an argumentative state as you just don't seem to hear what I'm saying ... That's a dangerous position to be in, when someone, especially a lawyer ... within these posts. ... You claimed that, "everyone does it," is a defense to law breaking. ... (rec.arts.theatre.musicals) Re: Oh please oh please oh pleeeease ... They don't pay a copyright lawyer hundreds of dollars ... whether or not it complies with actual law. ... But it does mean they give me good, informed legal advice - something you won't find on the Internet. ... (comp.lang.php) Re: FreeBSD 3.2 ... it's better to give no advice than bad advice. ... >> true when the issue is a legal matter, and you are not a lawyer. ... The law applies regardless of whether the average person is able to understand ... violating accounting laws which are only comprehensible to an accountant (or ... (freebsd-questions)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint