From: Michael Deyo (MichaelD@JanusAssociates.COM)
Date: Wed Jul 17 2002 - 14:23:49 EDT
Disclaimer - I am not an attorney, I have not received formal legal
training, and I do not hold any legal credentials. Therefore, I am not
qualified to give profession legal advice. All views expressed in this
message are based on personal opinion and experience.
The Federal computer crime law (18 U.S.C. 1030, Computer Fraud and Abuse
Act) makes it illegal for anyone to intentionally access a computer without
authorization, or in excess of authorization, and "obtain information from
any protected computer if the conduct involved an interstate or foreign
communication." All computers connected to the Internet potentially engage
in interstate communication by the nature of the way in which the Internet
operates, so this statue applies to all Internet hosts. The entire text of
the Act can be viewed at
http://www.usdoj.gov/criminal/cybercrime/1030_new.html.
In your scenario, you were authorized to access the website and enter search
terms at your discretion. I would argue that it is the responsibility of
the computer system owner to communicate what types of activity are
authorized and unauthorized. If there was specific communication that SQL
injection constitutes unauthorized activity, and that only valid search
terms should be entered, you have violated this Act. If, however, you
accessed the site and had a reasonable belief that you held the privilege to
enter any and all search terms, it would be difficult to prove intent to
gain unauthorized access on your part. In addition, it is the
responsibility of the system developer to include security mechanisms to
prevent unauthorized access. You did not circumvent a security mechanism in
this case.
Another issue to examine is the degree of damage caused to the system as a
result of the SQL injection. If you simply returned the entire product
listing, this is a relatively benign activity. This is assuming that the
information returned is not particularly sensitive, such as bank records,
credit card numbers, or protected health information. If, however, you used
SQL injection to modify information or destroy data, this is a more critical
issue. This will certainly violate the Federal statue, and most state laws.
While it may be implied that you have authorization to view the resulting
information of searches, it is not implied that you are authorized to modify
or delete system information.
Mike
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
Sent: Wednesday, July 17, 2002 12:48 PM
To: Pen-Test
Subject: SQL Injection Legalities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I hesitate asking the group about law, but here goes:
Lets say a site gives you the capability to search their product-base via a
web input box. You know, the standard search/submit deal.
You type in "bicycle" and it gives you everything that starts with
"bicycle." Simple enough. As we all know, web app susceptibility to SQL
injects runs amok; lets say in this case that instead of typing "bicycle,"
I type "bicycle' or 1=1--" and get all the products. Have I broken the
law? More specifically, have I broken the law in the US?
One could argue that the site is allowing me to specify what I want to see,
and all I am doing is typing in what I want... Though the developer may
not have intended for me to pull up the data like that, does my doing so
constitute a crime?
I'm not looking for ethical or moral debate here, I am hoping someone has
some distinct legal experience who knows. Thanks.
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT