RE: SQL Injection Legalities

From: darrell@cpp.com
Date: Wed Jul 17 2002 - 14:01:53 EDT

• Next message: John Madden: "HTTP server used as proxy ?"
• Previous message: Alfred Huger: "Announcement"
• Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
• Next in thread: Joe: "RE: SQL Injection Legalities"
• Reply: Joe: "RE: SQL Injection Legalities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Check out

http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/47/sectio
ns/section_1030.html

I think you'll find your answer

US Title 18: Part I: Chapter 47, Section 1030

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
Sent: Wednesday, July 17, 2002 9:48 AM
To: Pen-Test
Subject: SQL Injection Legalities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I hesitate asking the group about law, but here goes:

Lets say a site gives you the capability to search their product-base via a
web input box. You know, the standard search/submit deal.

You type in "bicycle" and it gives you everything that starts with
"bicycle." Simple enough. As we all know, web app susceptibility to SQL
injects runs amok; lets say in this case that instead of typing "bicycle,"
I type "bicycle' or 1=1--" and get all the products. Have I broken the
law? More specifically, have I broken the law in the US?

One could argue that the site is allowing me to specify what I want to see,
and all I am doing is typing in what I want... Though the developer may
not have intended for me to pull up the data like that, does my doing so
constitute a crime?

I'm not looking for ethical or moral debate here, I am hoping someone has
some distinct legal experience who knows. Thanks.

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: John Madden: "HTTP server used as proxy ?"
• Previous message: Alfred Huger: "Announcement"
• Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
• Next in thread: Joe: "RE: SQL Injection Legalities"
• Reply: Joe: "RE: SQL Injection Legalities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT