RE: Informing Companies about security vulnerabilities...

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

Tyler,

What in the world are you talking about? If you read his email, he said
that he was doing XXS and SQL injections on someone else's web site. In
order for him to say that the SQL attack worked, he would have to see
some data. Therefore, at the very least, he has viewed private data.

What is VERY illegal is that fact that he knew there was an issue and
then kept going. He should have stopped at that point and let the
company know.
(He should not have been there in the first place)

A Good example-
You walk along the sidewalk in a small town at night. All the stores are
closed. For whatever reason you turn the door knob on each store you
pass to see if the door is locked. 

You find one that is unlocked. A normal person would either close the
door and leave or let someone know.

This guy did the equivalent of going in the store to see if he could
find other problems. Ie: A light is on, a fan is on...ect  At that
point, if you left a note telling the owner that not only was the door
open, but you came in and tested everything in the store, I would think
that he would call the cops and a lawyer and not you.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Krpata, Tyler
Sent: Wednesday, October 04, 2006 4:13 PM
To: bugtraq () cgisecurity net; joe () learnsecurityonline com;
pen-test () securityfocus com
Cc: bugtraq () securityfocus com
Subject: RE: Informing Companies about security vulnerabilities...

"On the count of entering an apostrophe into the Search box on the
plaintiff's web site, how do you plead?"

....doubtful.

-----Original Message-----
From: bugtraq () cgisecurity net [mailto:bugtraq () cgisecurity net] 
Sent: Wednesday, October 04, 2006 3:15 PM
To: joe () learnsecurityonline com; pen-test () securityfocus com
Cc: bugtraq () securityfocus com
Subject: RE: Informing Companies about security vulnerabilities...

So you are admitting publicly that you and a class of students that you
teach are illegally testing random public 
websites for the purpose of learning about security vulnerabilities?
Sounds like you/your company need to speak
with a lawyer.  

- Robert 
http://www.cgisecurity.com/ Application Security news and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Joseph McCray
Sent: Wednesday, October 04, 2006 3:07 AM
To: pen-test () securityfocus com
Subject: Informing Companies about security vulnerabilities...

This probably won't sound like that big of a deal, but it still bothered
me so I figured I'd ask the list. I was teaching a Web Application
Security class last week and we were performing simple XXS, SQL
Injection, etc on the vulnerable web apps I use for class.



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------



-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------