Re: SQL injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Russell Jones wrote:
> This is a good question and it, by and large, has not been considered.
> 
> In this particular instance, their programming is not protected by any kind
> of encryption laws that would prevent decryption (such as developing and
> deploying the decryption of Adobe Ebooks format).
> 
> Furthermore, because you reported the flaw directly to the webmaster and
> did
> not publish it, there is no way that you caused any meaningful damage, nor
> were you acting maliciously.
> 
> I have exposed XSS errors before on Google via my blog, even wrote a
> program
> for April Fools that let you use XSS to post fake articles to real news
> sites, and never got in trouble for it. You did not even announce the error
> to the community, so you should be completely safe.
> 
> In real life terms, if you walked into the store and saw that the cash
> register was slightly broken and slightly opened, and reached in and pulled
> out a dollar to show the cashier what was wrong, you would not get in
> trouble. It may be bold, but it is not a crime.

technically removing the dollar is a crime regardless of your intention.

with regard to find vulnerabilities you are, in the US atleast, technically
at the mercy of the site owner as to whether legal action could be taken against
you. read the following for at least 2 examples:

	http://www.securityfocus.com/news/11389/

one would hope sweden has less idiotic laws, and smarter IT managers.

you did the site a service, and hopefully they are smart enough to see it that way.

I would though in future, if you enjoy this kind of research, ask permission to
examine a site's security from the owners to be safe.

my personal opinion is that vulnerability research is a great game for nice people
who are looking to get shafted in a big way. which is a sad state of affairs alround,
but there you have it.

> 
> On 8/2/06, Peter Lauri <lists@xxxxxxxxxxx> wrote:
>>
>> Hi all,
>>
>>
>>
>> I saw some strange error messages from a site when I was surfing it, and
>> it
>> was in form of SQL. I did some testing of the security of the SQL
>> injection
>> protection of that site, and it showed it was not that protected against
>> SQL
>> injections. To show this to them, I deleted my own record in their
>> database
>> after finding out the table name of the "entity" in the database. I also
>> found out a lot of other that I think is important table names.
>>
>>
>>
>> What I did to them was to report this to them, and inform them about the
>> damage I created, and what could have been done. (I did DELETE FROM
>> tablename WHERE id=1234, what if I did DELETE FROM tablename, destruction
>> if
>> no backup). This is a large "athletic site" in Sweden, with more then
>> 100,000 daily visitors.
>>
>>
>>
>> What I am a little bit worried about is the legal part of this; can I be
>> accused of breaking some laws? I was just doing it to check if they were
>> protected, and I informed them about my process etc. I only deleted my
>> record, no one else's. In Sweden it might have been called "computer
>> break-in", but I am not sure.
>>
>>
>>
>> Anyone with experience of a similar thing?
>>
>>
>>
>> Best regards,
>>
>> Peter Lauri
>>
>>
>>
>>
>>
>>
>>
>>
>>
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux