RE: SQL Injection Legalities

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: Sun Jul 21 2002 - 16:33:15 EDT

• Next message: Weaver, Woody: "RE: SQL Injection Legalities"
• Previous message: icer: "Core Impact"
• Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
• Next in thread: Daniel Polombo: "RE: SQL Injection Legalities"
• Reply: Daniel Polombo: "RE: SQL Injection Legalities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:13 PM 7/21/2002, Weaver, Woody wrote:
>I don't think that applies, as long as the machine wasn't a computer owned
>by the US government, wasn't a protected computer (accessible to the public
>is probably good cause), and there was no intent to defraud or extort.

I thought the same thing when I re-read the law... I've seen it referenced
several times, and have read over it several times previously, but w/o
being a lawyer, it is hard to tell to what degree they could apply it to
different scenarios.

But when they throw in vague wording such as "exceeding authorized access"
or "intent" and blah, blah, blah, it really opens it up for varied
interpretation.

I guess my point of view is that the developer is explicitly allowing a
user to submit a query. If he does not sanitize user input, then they are
"allowing" me to submit the query as I wish- in this case, changing the
logic to ['bicycle' or 1=1]. I don't think that anyone would go to the
trouble of trying to prosecute for this type of SQL injection, particularly
since there is no "damage" or anything, but what do you do when I do
['bicycle' union select name,password from sysxlogins--] ? It is really
the same thing, and there are still no damages, but there is a far greater
potential for abuse.

What I guess I was really looking for was a response from a lawyer who said
"Yes, someone did this and we nailed their butt" or "Yes, someone did this
and there was really nothing we could do about it- see Smith vs BigCorp" or
something along those lines. To me, SQL Injection is a different animal--
no port scanning, no direct vulnerability exploitation, and not even
uploading stuff (unless you want to, of course) and you can still get to
everything you want. When the developer uses "UID=SA;PWD=" in the damn
connection string, then they would have a hard time saying that I exceeded
authorization, you know?

So, it looks like we are where we normally are with this sort of thing-
nobody really knows until the law is tested.

Thanks to all for the responses. Have a good one-

Cheers-

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTsaiohsmyD15h5gEQI1HwCdFd+f4KKy7E6QP70v+VoJbIRk1G4AnA7s
HlYsYHMAqdhiTd+TgizMKOyM
=GT9I
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Weaver, Woody: "RE: SQL Injection Legalities"
• Previous message: icer: "Core Impact"
• Maybe in reply to: Deus, Attonbitus: "SQL Injection Legalities"
• Next in thread: Daniel Polombo: "RE: SQL Injection Legalities"
• Reply: Daniel Polombo: "RE: SQL Injection Legalities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT