Infonautic's getdoc.cgi may allow unauthorized access to documents

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

----- Forwarded message from Black Watch Labs <blackwatchlabs () perfectotech com> -----

Message-ID: <38F3B405.7A8596DE () perfectotech com>
Date: Tue, 11 Apr 2000 16:23:49 -0700
From: Black Watch Labs <blackwatchlabs () perfectotech com>
To: aleph1 () securityfocus com
Subject: Infonautic's getdoc.cgi may allow unauthorized access to documents

Hello Elias,

As mentioned in the Friday, April 7 email sent to you, here is the first
of the three previous Black Watch Labs vulnerability alerts, in plain
text format.   Two more will follow this email.

Thank you,
Black Watch Labs

Name:   Infonautic's getdoc.cgi may allow unauthorized access to documents

BWL ID:
BWL-00-03

Date Released:
March 21, 2000

Category:
Application(HTML) - parameter manipulation.

Products affected:
Some Infonautics' applications.

Number of affected sites/pages/users:
The list of Infonautics based sites appears in the Infonautics site.
Some of them certainly possess this vulnerability.

Summary:        
Some Infonautics' applications utilize the getdoc.cgi CGI in such a way
that allows attackers to gain (read) access to a document they would
otherwise have to pay in order to view.

Analysis:       
The exact mechanism of getdoc.cgi is not clear to the authors of this
advisory, yet what is known is as following:

This CGI is used by Infonautics' applications in order to view/purchase
documents in archives and alike sites. The CGI is called with several
parameters, and there are probably several "modes" and/or defaults (for
missing parameters). However, it was observed that when the CGI is
called in the following manner:
getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=RL
or
getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=RL&m=1

Then it is possible to remove the "RL" value from the "Form" field, and
the application will grant access to the document without going through
the payment phase.

As the mechanism implemented in getdoc.cgi is not fully understood, it
is possible that links having the above format will not be vulnerable,
and it may also be possible that links which do not conform to the above
format will be vulnerable.

Exploits:               
As noted above, if a link is encountered in the following format:
getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=RL&m=1
Then an attacker can remove the RL and send:
getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=&m=1

Vendor Status:
Vendor notified.

Vendor Patch or workaround:
No patch or workaround available at the time of this release.

References and Links:
Infonautics: www.infonautics.com

About Black Watch Labs (http://www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies
Ltd., the leader in Web application security management. Black Watch
Labs was established to further the knowledge of Web application
security within the Internet community.

About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto
Technologies is the leader in Web Application Security Management
software. AppShield™, Perfecto's flagship product, is the first to
provide automatic Web site security, enabling companies to realize
faster time to market while meeting the demand for privacy and security.
Black Watch Labs was established to further the knowledge of Web
application security within the Internet security community. Privately
held, Perfecto is funded by blue-chip venture capital firms and industry
leaders, including Goldman Sachs, Intel Corporation, Sequoia Capital,
The Sprout Group and Walden Israel. More information about Perfecto
Technologies may be obtained by visiting the Company's Web site at
www.perfectotech.com or by calling the Company directly at (408)
855-9500.

Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application
security alerts herein in their entirety, provided the information, this
notice and all other Perfecto Technologies marks remain intact.

Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN
SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET,
INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS
ADVISORY IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND
ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED
BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED
TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE
SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE
USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD
SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.

NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an "as
is" basis and may change without notice. Perfecto Technologies makes no
warranties of any kind, either expressed or implied as to any matter
including but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of
the material.  Neither does Perfecto Technologies make any warranty of
any kind with respect to freedom from patent, trademark or copyright
infringement. In no event shall Perfecto Technologies be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

----- End forwarded message -----