From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682121063; bh=qU8xAQ4796NH7UZDSZS15TQBerW3ETiNzXxAuz9b9cA=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=aR7qbb/eqUhwg7GNXVoFEeWhBhiesxeh0AFDcB1oG15W/uaos4RRfC85UedOES24p xGdqKGXVnzFDH5h6Suhr2URNcrNWVjPhP8TlFBUPx+7HSBHjoPrZuOWrWrSa1iYonv PMeojfgYHIgb6FOt8XSheFApUCUqlJGnj0qarJUdyNC1VO4d7+Din67mQT3nWY6ZnB +Jy8fQqS3GG1yKVhGNq1fwau79eAZS35oKweNpsz4xJLjhVjUOPhDtmZe/4i5QapDY MCKWsQrqaWv6cs1YbJN9BohHA8nqom5EIVcj52XGxNIv8S3QdSOqDKqDyl5VmUGU+3 YQqJ25adNFJ7g== Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com [209.85.128.176]) by gnuweeb.org (Postfix) with ESMTPSA id 3B7ED245698 for ; Sat, 22 Apr 2023 06:51:03 +0700 (WIB) Received: by mail-yw1-f176.google.com with SMTP id 00721157ae682-54fdf7cd390so4312627b3.1 for ; Fri, 21 Apr 2023 16:51:03 -0700 (PDT) X-Gm-Message-State: AAQBX9fYEOx/Mw+Uxpx3+TH+E7MNIdZivq0i3hk1Bjx5gClwziMW/PqK 9yqAYjFB+8p+q1icTnMTL34huXIK4BUnkGMw4Vg= X-Google-Smtp-Source: AKy350bTrIArCXY7sQUx0tEaTrFiCNcF+PnVMWbS+ZBbJL7IAXH/x5PLfC1hj8mQ73QotGIGpX9Qk0j9NNGLpuAq/tI= X-Received: by 2002:a81:7857:0:b0:541:664e:b5d4 with SMTP id t84-20020a817857000000b00541664eb5d4mr4808150ywc.4.1682121062188; Fri, 21 Apr 2023 16:51:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ammar Faizi Date: Sat, 22 Apr 2023 06:50:46 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Alviro Iskandar Setiawan Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sat, Apr 22, 2023 at 6:42=E2=80=AFAM Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 6:21=E2=80=AFAM Ammar Faizi wrote: > > On Fri, Apr 21, 2023 at 7:45=E2=80=AFAM Ammar Faizi wrote: > > > On Fri, Apr 21, 2023 at 7:42=E2=80=AFAM Alviro Iskandar Setiawan wrot= e: > > > > POC and sample attached. > > > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lp= thread; > > > > ./gwcfd2; > > > > > > I'll address this ASAP. > > > > I sent your POC and sample to the KiosTix people yesterday. At first, > > they didn't acknowledge the leak because they thought you leaked the > > old tickets. > > Didn't they read the dump.txt file I sent? It looks new to me... Or > maybe I am the one who ate their sweet honeypot this time? No, I don't think that's a honeypot. I just confirmed that my new tickets that already use UUIDv4 are in your dump too. So it's legit; they just didn't understand what you're trying to inform. > > Looking at their response, they will need a few days to mull things > > over before they fix the vuln. Plus, they will probably have > > difficulty grasping what your crazy multithreaded POC is actually > > doing. So let's give them more time; they're web developers, not > > super-savants. > > Imagine what will happen if someone else outside GNU/Weeb finds the > vuln and posts it publicly. Hope they don't blame us in case that > happens. That's a real problem for us too. --=20 Ammar Faizi