Penetration Testing mailing list archives

RE: SQL Injection Legalities

From: Joe <junk () quickfinger com>
Date: Thu, 18 Jul 2002 11:00:34 -0500 (CDT)

This only applies to communications that cross state lines.  If you,
and the host you are attempting to exploit, are in the same state, it
would fall under state law.

Perhaps the argument could be made that the packets left the state
while travelling between your two machines, but that's a matter for
court precedents.

On Wed, 17 Jul 2002 darrell () cpp com wrote:

Check out

http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/47/sectio
ns/section_1030.html

I think you'll find your answer

US Title 18: Part I: Chapter 47, Section 1030


-----Original Message-----
From: Deus, Attonbitus [mailto:Thor () HammerofGod com]
Sent: Wednesday, July 17, 2002 9:48 AM
To: Pen-Test
Subject: SQL Injection Legalities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I hesitate asking the group about law, but here goes:

Lets say a site gives you the capability to search their product-base via a
web input box.  You know, the standard search/submit deal.

You type in "bicycle" and it gives you everything that starts with
"bicycle."  Simple enough.  As we all know, web app susceptibility to SQL
injects runs amok; lets say in this case that instead of typing "bicycle,"
I type "bicycle' or 1=1--" and get all the products.  Have I broken the
law?  More specifically, have I broken the law in the US?

One could argue that the site is allowing me to specify what I want to see,
and all I am doing is typing in what I want...  Though the developer may
not have intended for me to pull up the data like that, does my doing so
constitute a crime?

I'm not looking for ethical or moral debate here, I am hoping someone has
some distinct legal experience who knows.  Thanks.

AD




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Injection Legalities Deus, Attonbitus (Jul 17)
- Re: SQL Injection Legalities Quickfinger (Jul 18)
- <Possible follow-ups>
- RE: SQL Injection Legalities darrell (Jul 18)
  - RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Michael Deyo (Jul 18)
  - RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)
- RE: SQL Injection Legalities Deus, Attonbitus (Jul 22)
  - RE: SQL Injection Legalities Daniel Polombo (Jul 30)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)