RE: SQL Injection Legalities

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:13 PM 7/21/2002, Weaver, Woody wrote:
> I don't think that applies, as long as the machine wasn't a computer owned
> by the US government, wasn't a protected computer (accessible to the public
> is probably good cause), and there was no intent to defraud or extort.


I thought the same thing when I re-read the law... I've seen it referenced 
several times, and have read over it several times previously, but w/o 
being a lawyer, it is hard to tell to what degree they could apply it to 
different scenarios.

But when they throw in vague wording such as "exceeding authorized access" 
or "intent" and blah, blah, blah, it really opens it up for varied 
interpretation.

I guess my point of view is that the developer is explicitly allowing a 
user to submit a query.  If he does not sanitize user input, then they are 
"allowing" me to submit the query as I wish- in this case, changing the 
logic to ['bicycle' or 1=1].  I don't think that anyone would go to the 
trouble of trying to prosecute for this type of SQL injection, particularly 
since there is no "damage" or anything, but what do you do when I do 
['bicycle' union select name,password from sysxlogins--] ?  It is really 
the same thing, and there are still no damages, but there is a far greater 
potential for abuse.

What I guess I was really looking for was a response from a lawyer who said 
"Yes, someone did this and we nailed their butt" or "Yes, someone did this 
and there was really nothing we could do about it- see Smith vs BigCorp" or 
something along those lines.  To me, SQL Injection is a different animal-- 
no port scanning, no direct vulnerability exploitation, and not even 
uploading stuff (unless you want to, of course) and you can still get to 
everything you want.  When the developer uses "UID=SA;PWD=" in the damn 
connection string, then they would have a hard time saying that I exceeded 
authorization, you know?

So, it looks like we are where we normally are with this sort of thing- 
nobody really knows until the law is tested.

Thanks to all for the responses.  Have a good one-

Cheers-

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTsaiohsmyD15h5gEQI1HwCdFd+f4KKy7E6QP70v+VoJbIRk1G4AnA7s
HlYsYHMAqdhiTd+TgizMKOyM
=GT9I
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/