Penetration Testing mailing list archives
RE: SQL Injection Legalities
From: "Deus, Attonbitus" <Thor () HammerofGod com>
Date: Sun, 21 Jul 2002 13:33:15 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:13 PM 7/21/2002, Weaver, Woody wrote:
I don't think that applies, as long as the machine wasn't a computer owned by the US government, wasn't a protected computer (accessible to the public is probably good cause), and there was no intent to defraud or extort.
I thought the same thing when I re-read the law... I've seen it referenced several times, and have read over it several times previously, but w/o being a lawyer, it is hard to tell to what degree they could apply it to different scenarios. But when they throw in vague wording such as "exceeding authorized access" or "intent" and blah, blah, blah, it really opens it up for varied interpretation. I guess my point of view is that the developer is explicitly allowing a user to submit a query. If he does not sanitize user input, then they are "allowing" me to submit the query as I wish- in this case, changing the logic to ['bicycle' or 1=1]. I don't think that anyone would go to the trouble of trying to prosecute for this type of SQL injection, particularly since there is no "damage" or anything, but what do you do when I do ['bicycle' union select name,password from sysxlogins--] ? It is really the same thing, and there are still no damages, but there is a far greater potential for abuse. What I guess I was really looking for was a response from a lawyer who said "Yes, someone did this and we nailed their butt" or "Yes, someone did this and there was really nothing we could do about it- see Smith vs BigCorp" or something along those lines. To me, SQL Injection is a different animal-- no port scanning, no direct vulnerability exploitation, and not even uploading stuff (unless you want to, of course) and you can still get to everything you want. When the developer uses "UID=SA;PWD=" in the damn connection string, then they would have a hard time saying that I exceeded authorization, you know? So, it looks like we are where we normally are with this sort of thing- nobody really knows until the law is tested. Thanks to all for the responses. Have a good one- Cheers- AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPTsaiohsmyD15h5gEQI1HwCdFd+f4KKy7E6QP70v+VoJbIRk1G4AnA7s HlYsYHMAqdhiTd+TgizMKOyM =GT9I -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Legalities Deus, Attonbitus (Jul 17)
- Re: SQL Injection Legalities Quickfinger (Jul 18)
- <Possible follow-ups>
- RE: SQL Injection Legalities darrell (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Michael Deyo (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)
- RE: SQL Injection Legalities Deus, Attonbitus (Jul 22)
- RE: SQL Injection Legalities Daniel Polombo (Jul 30)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)