"You can't break something that doesn't exist" - a Polish judgment in the SQL Injection

"You can't break something that doesn't exist" - a Polish judgment in the SQL Injection

District Court in Głogów VI Faculty of Grodzki on August 11, 2008.issued an important judgment in the case of a man accused of using computers without being entitled to do so, after breaking electronic security, a server of a certain company, he obtained information - personal data - not intended for him, thus acting to the detriment of this company, i.e. inthe case of the accused of an act under Article.267 §1 of the Penal Code.Court by judgment (reference number.act VI K 849/07) acquitted the accused from the allegation, ordered the accused to return material evidence listed in the list of evidence, and on the basis of art.632 item 2 of the Code of Criminal Procedure ruled that the costs of the trial are to be borne by the State Treasury.The verdict is final.This is a very important decision (I signaled that I would publish information on this subject with the text, he boasted the Internet, boast of grandchildren), and applies to M.in.the limit of the possibility of conducting a "security audit" of websites, as well as matters related to the so -called.SQL Injection.

About the case in which the court decided, I wrote in the texts of the contractor in the texts, looking for a gap, a repair offer and handcuffs and a continuation in the case in which the handcuffs were used after signing a confidentiality clause.I would like to remind you that the accused did not agree to the voluntary submission of the penalty that he was offered, initially defended himself.As part of the "Pro Bono Program" of this website (Por.Vagla.pl for the activities of pro bono) the defense of a man was undertaken by MEC.Artur Kmieciak.After the judgment was issued, both the prosecutor's office and the defense asked the court to justify the judgment, which would be necessary to submit a possible appeal.However, the prosecutor's office did not appeal (the verdict is acquittal, so the defense did not submit an appeal) and the judgment became final.

Co znajdziemy w uzasadnieniu wyroku Sądu Rejonowego w Głogowie w sprawie oskarżonego? W pierwszej kolejności opis podjętych przez niego działań.He visited the website and stated that the website contains errors.Then, in the login form, he entered the string "or 1 = 1" (repeating this activity also in the password field), which meant that he was "logged in" to the account of the random user.This, in turn, meant that the man gained access to several user accounts with simultaneous access to their personal data.The man decided to use this fact, and in such a way that he contacted representatives of the company running the website and informed them that he "detected a gap enabling entering the marketing database of companies belonging or connected by the owner" with the company.In the meantime, the man also checked other websites and websites created by the author of the website used by the company.He noticed that all these websites contained similar errors (they were constructed using the same content management system).The man, to authenticate his proposal, by sending an electronic letter to the enterprise placed the data of one of the employees, which he obtained as a result of the above -mentioned activities.He did not receive any response to the cooperation proposal, he decided to send letters directly to interested companies whose data was processed as part of the website.

Contact was made and the man was invited to cooperate.During the meeting, to which the man was invited, a work contract was to be signed, on the basis of which he was to start work in order to remove gaps in the security.The man came to the agreed meeting, there he signed the obligation to maintain confidentiality (with the date before the detection of errors), and then he was detained by the police cooperating with the company.

W trakcie postępowania przygotowawczego biegły sądowy z dziedziny informatyki sporządził ekspertyzę z zakresu badań danych, a wynikało z niej, że mężczyzna posłużył się "jedną z form ataku na bazy danych o nazwieSQL Injection, którego celem jest wydobycie poufnych informacji z bazy danych i zakłócenie jej funkcjonowania".In the course of the court proceedings, the court - having in mind the doubts arising from life experience and the request of the defender of the accused - allowed evidence from the opinion of another expert.This opinion showed that by introducing a string of characters "or 1 = 1" the man did not break the database security.No access password was broken, the program code was not entered, and the man did not affect the functioning of the database security in any way.He also did not delete security, and did not change access passwords, he did not set up a database access account. Z opinii biegłego wynikało, że wprowadzenie tego ciągu znaków należy uznać za wykorzystanieSQL Injection w celu obejścia zabezpieczeń, na co pozwoliło niewłaściwe zabezpieczenie bazy danych.The login form and the website was constructed in such a way that the string given by the man was the permissible string of input data for this type of form fields.The correctness of this string of characters should verify the application by checking whether a user is saved in the database with such a name or having such a password and generate an appropriate error message.

The defense did not question the facts, and the man made explanations in accordance with the facts determined by the court.Defense, however, questioned that the man's actions contained all the features of a criminal act under Art.267 §1 of the Penal Code, in particular, according to the defense.In addition, the man explained that he did not use a program for breaking security.

The court led by judge SR Andrzej Molisak weighed the following:

It is appropriate to recall the words of justification again: "you cannot break something that does not exist" and propose to consider whether if you can't break, it is - on a similar reason - you can't "bypass" something that does not exist.When looking for information about one of the currently processed "amendment paths" of the Penal Code, you can reach to the text YES, YES, AD...images of minors, hacking, 269b....Amendment Act M.in.Art content.267 § 1 of the Penal Code was adopted at the Sejm meeting No. 22 on September 19, 2008.On September 22, the act was forwarded to the President and Marshal of the Senate.The legislative process for this amendment is not yet completed.

Asked by the acquitted one for the possibility of placing a few words with this relationship - I vote for him:

Also read: