Valdis & Benji, I don't recall the OP saying he did a open test, nor injecting anything the database, and a much as I've read, not even RFI. Causing a server to spit out sensitive information without modification (unauthorized access and service failures/denial of service) surely doesn't count as a crime. Someone picking up $1000 from a road is obviously not a criminal either (assuming the money is legit), getting into a bank on the other hand is a crime.
I'm speaking this from a little personal experience of mine, where I came upon several XSS exploits on a gov't main site (it's nothing), however, point being I didn't go there with the intent to do any harm, and didn't have to, to notice the serious flaw. That said, something I did in Malta could be punished by beheading in Iran for what I know (and a severe fine in the US). It all depends on the law. Assuming it is a fair and comprehensible one (or simply outdated) this kind of "attack" is not covered or puts the defendant [company/gov't] in serious implications (such as in my case where the gov't is bound by law to provide a high uptime service with as much security as possible - yet it had serious but basic flaws). Regards, Chris. On Mon, Feb 22, 2010 at 9:45 PM, <[email protected]> wrote: > On Mon, 22 Feb 2010 20:19:44 GMT, Benji said: > >> Does that just cover fraud? Surely a database injection counts as >> unauthorised access? >> >> Does this mean that now anyone can start injecting websites and extracting >> data, and aslong as they dont use the data to 'commit fraud or dislose >> national secrets', or albeit, it cant be proved, that person is safe? > > That's a gray area. Intent does matter: > > "naked" - not wearing any clothes. > "nekkid" - naked and up to something. > > Do you want to bet 3-5 in the pen that the DA won't be able to convince a jury > you didn't have intent? > > That's why it's always recommended you have a written "Get out of jail free" > card when doing a pen test - that significantly raises the bar to proving you > were up to no good. > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
