Umas Open Window: This is how i get free access to ACM Portal, A Security Hole

Monday, February 26, 2007

This is how i get free access to ACM Portal, A Security Hole

Yes, its true! I got free access to ACM Portal from a network which is not subscribed.

This Portal will allow us to view the abstract of desired paper. But if we want to download the paper we must either have membership account with ACM or our network must be subscribed as most of the educational organizations do. Failing the 2 options we cant get access to download the paper(through the acm portal).

Till now, me and my friends have an illusion that the requests are tracked based on the IP address and if the IP address is not in the subscription list, it would be treated as normal request. But it may not be true. When I type a paper title in google search and selects a result link which is targeted to acm portal, i can get access to the acm portal page as a genuine user from Google, Inc, and can download the desired paper. It gives us full access as a subscribed user. I tested with Firefox and Konqueror browsers and friends working in other companies are tested on windows IE as well. Its only possible with google search, but not with other search engines like Yahoo Search, ASk.

Observe some of the screenshots I got through while experimenting.

Sometimes its showing Google,Inc; sometimes CILEA Consortium;

and sometimes FUJITSU Ltd. I guess its a security hole. And one more thing is that the search result must contain CFID and CFTOKEN. May be these two attributes are the driving

factors for me to get access. Try the Sample search. Select the result which is pointing to acm portal (It would be in the first 10 entries). When i search for those two variables, i came to know that CFID and CFTOKEN are the ColdFusion session variables. They are used to track the user's browser session. By default, all ColdFusion versions write CFID and CFTOKEN as persistent cookies in the client browser. An important security note is: Coding sensitive data such asCFID and CFTOKEN in the URL string is a security risk. Even though they are designed as per-session cookies, its still possible for us to access with Google search.

I am still wondering why its only possible with Google Search and not with any other search engines. May be I need to dig into ColdFusion programming.

Update:
Seems Google Search is not providing such results. But this link would directly allow you to access acm portal under the 'Google Inc' network. The reason is, as i said earlier, the query result should include the CFID and CFTOKEN arguments.

6 comments:

Deva said...: I think ACM made so many publications free. Still so mamy are not able access trough your method.; Wednesday, February 28, 2007 5:56:00 PM
uma said...: @Devs,
Once you entered into the portal, U can make a local search there for the desired paper. If you are not able to get, use my sample search.; Monday, March 05, 2007 4:22:00 PM
Anonymous said...: Seems like the sample search is not working anymore....; Wednesday, July 04, 2007 3:53:00 PM
uma said...: @Anonymous,
look in the updated section. I provided a link to access directly under the Google Inc network.; Wednesday, July 04, 2007 5:30:00 PM
Anonymous said...: damn, you da man, i was about to pay the membership fee, you saved me.; Wednesday, August 29, 2007 9:29:00 AM
okrutny.krisek said...: :(
they've repaired the bug....; Wednesday, April 29, 2009 11:20:00 PM