From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: Wed Jul 17 2002 - 12:48:01 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I hesitate asking the group about law, but here goes:
Lets say a site gives you the capability to search their product-base via a
web input box. You know, the standard search/submit deal.
You type in "bicycle" and it gives you everything that starts with
"bicycle." Simple enough. As we all know, web app susceptibility to SQL
injects runs amok; lets say in this case that instead of typing "bicycle,"
I type "bicycle' or 1=1--" and get all the products. Have I broken the
law? More specifically, have I broken the law in the US?
One could argue that the site is allowing me to specify what I want to see,
and all I am doing is typing in what I want... Though the developer may
not have intended for me to pull up the data like that, does my doing so
constitute a crime?
I'm not looking for ethical or moral debate here, I am hoping someone has
some distinct legal experience who knows. Thanks.
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT