From: Daniel Polombo (polombo@cartel-securite.fr)
Date: Tue Jul 30 2002 - 05:13:01 EDT
Le dim 21/07/2002 à 22:33, Deus, Attonbitus a écrit :
> But when they throw in vague wording such as "exceeding authorized access"
> or "intent" and blah, blah, blah, it really opens it up for varied
> interpretation.
Which basically means that the best lawyer has a good chance to win the
case.
> I guess my point of view is that the developer is explicitly allowing a
> user to submit a query. If he does not sanitize user input, then they are
> "allowing" me to submit the query as I wish- in this case, changing the
> logic to ['bicycle' or 1=1]. I don't think that anyone would go to the
> trouble of trying to prosecute for this type of SQL injection, particularly
> since there is no "damage" or anything, but what do you do when I do
> ['bicycle' union select name,password from sysxlogins--] ? It is really
> the same thing, and there are still no damages, but there is a far greater
> potential for abuse.
IANAL, and I don't even live in the US, but I have seen a similar case
recently in France. The hacker used SQL injection to obtain a list of
accounts from a large website. He was caught and sued, the first because
he'd been careless, the second because the firm owning the site wanted
to make an example. There was no malicious intent on the hacker's part,
but the particulars of the case made it difficult to clearly prove this.
In the end, all charges against him were dropped. In France (and more
generally in Europe), a website requiring registration which stores
personal information about its users is responsible for the security of
that information, and the site's owner was told he was responsible of
that vulnerability in his site.
However, this is only an example. French law clearly takes into account
the intent of the person violating the law. In that case, he managed to
convince the court that there was no malicious intent. The very same
case could have gone very differently if the court had been convinced of
a malicious intent.
> So, it looks like we are where we normally are with this sort of thing-
> nobody really knows until the law is tested.
Yep, and even so, a single case is no guarantee that the next one will
be treated the same way.
HTH,
Daniel
-- Daniel Polombo Consultant Cartel Sécurité ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT