From: Quickfinger (junk@quickfinger.com)
Date: Wed Jul 17 2002 - 19:11:38 EDT
I am not a lawyer, but I do remember reading an article that used a
very similar example. I believe this is illegal in California and I
would not be surprised to hear that it's illegal in Oregon. Most
likely this depends on the state, probably the state in which the
server resides.
I too am interested in hearing from a lawyer if there is on one this
list.
D. Joe Royer II, CCNA, CISSP
On Wed, 17 Jul 2002, Deus, Attonbitus wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I hesitate asking the group about law, but here goes:
>
> Lets say a site gives you the capability to search their product-base via a
> web input box. You know, the standard search/submit deal.
>
> You type in "bicycle" and it gives you everything that starts with
> "bicycle." Simple enough. As we all know, web app susceptibility to SQL
> injects runs amok; lets say in this case that instead of typing "bicycle,"
> I type "bicycle' or 1=1--" and get all the products. Have I broken the
> law? More specifically, have I broken the law in the US?
>
> One could argue that the site is allowing me to specify what I want to see,
> and all I am doing is typing in what I want... Though the developer may
> not have intended for me to pull up the data like that, does my doing so
> constitute a crime?
>
> I'm not looking for ethical or moral debate here, I am hoping someone has
> some distinct legal experience who knows. Thanks.
>
> AD
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT