Re: SQL Injection Legalities

[Quickfinger <junk () quickfinger com>]

I am not a lawyer, but I do remember reading an article that used a
very similar example.  I believe this is illegal in California and I
would not be surprised to hear that it's illegal in Oregon.  Most
likely this depends on the state, probably the state in which the
server resides.

I too am interested in hearing from a lawyer if there is on one this
list.

D. Joe Royer II, CCNA, CISSP

On Wed, 17 Jul 2002, Deus, Attonbitus wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I hesitate asking the group about law, but here goes:
>
> Lets say a site gives you the capability to search their product-base via a
> web input box.  You know, the standard search/submit deal.
>
> You type in "bicycle" and it gives you everything that starts with
> "bicycle."  Simple enough.  As we all know, web app susceptibility to SQL
> injects runs amok; lets say in this case that instead of typing "bicycle,"
> I type "bicycle' or 1=1--" and get all the products.  Have I broken the
> law?  More specifically, have I broken the law in the US?
>
> One could argue that the site is allowing me to specify what I want to see,
> and all I am doing is typing in what I want...  Though the developer may
> not have intended for me to pull up the data like that, does my doing so
> constitute a crime?
>
> I'm not looking for ethical or moral debate here, I am hoping someone has
> some distinct legal experience who knows.  Thanks.
>
> AD


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/