Penetration Testing mailing list archives
SQL Injection Legalities
From: "Deus, Attonbitus" <Thor () HammerofGod com>
Date: Wed, 17 Jul 2002 09:48:01 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base via a web input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want to see, and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv ANJ4aOg8vjqGS5JSZK2V5Hyt =nm/7 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Legalities Deus, Attonbitus (Jul 17)
- Re: SQL Injection Legalities Quickfinger (Jul 18)
- <Possible follow-ups>
- RE: SQL Injection Legalities darrell (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Michael Deyo (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)
- RE: SQL Injection Legalities Deus, Attonbitus (Jul 22)
- RE: SQL Injection Legalities Daniel Polombo (Jul 30)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)