Vulnerability

    getdoc.cgi

Affected

    Some Infonautics' applications.

Description

    Following  was  found  by  Black  Watch  Labs.   Some Infonautics'
    applications utilize the getdoc.cgi CGI in such a way that  allows
    attackers to gain (read) access to a document they would otherwise
    have to pay in order to view.

    The exact mechanism of getdoc.cgi  is not clear to the  authors of
    this advisory, yet  what is known  is as following.   This CGI  is
    used  by  Infonautics'  applications  in  order  to  view/purchase
    documents in  archives and  alike sites.   The CGI  is called with
    several parameters, and there are probably several "modes"  and/or
    defaults (for missing parameters).  However, it was observed  that
    when the CGI is called in the following manner:

        getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=RL

    or

        getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=RL&m=1

    Then  it  is  possible  to  remove  the "RL" value from the "Form"
    field,  and  the  application  will  grant  access to the document
    without going through the payment phase.

    As  the  mechanism   implemented  in  getdoc.cgi   is  not   fully
    understood,  it  is  possible  that  links having the above format
    will not  be vulnerable,  and it  may also  be possible that links
    which do not conform to the above format will be vulnerable.

    As noted above, if a link is encountered in the following format:

        getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=RL&m=1

    Then an attacker can remove the RL and send:

        getdoc.cgi?id=whatever-this&OIDS=whatever-that&Form=&m=1

Solution

    No patch or workaround available at the time of this release.