GNU/Weeb Mailing List <[email protected]>
 help / color / mirror / Atom feed
* Re: CF ticketing system is still vulnerable
       [not found] <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com>
@ 2023-04-21  0:45 ` Ammar Faizi
  2023-04-21 23:21   ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-21  0:45 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> Hi Ammar,
>
> After the recent fix from KiosTix, I can still dump 10889 tickets this
> morning. I found that about 90% of tickets already use UUIDv4 in this
> dump. KiosTix MUST also reset all tickets again despite the fact that
> they already use UUIDv4 because everything is still publicly
> available.
>
> Please report this immediately to KiosTix!
>
> POC and sample attached.
>
> gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> ./gwcfd2;

I'll address this ASAP.

-- 
Ammar Faizi

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-21  0:45 ` CF ticketing system is still vulnerable Ammar Faizi
@ 2023-04-21 23:21   ` Ammar Faizi
  2023-04-21 23:41     ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-21 23:21 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > POC and sample attached.
> >
> > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > ./gwcfd2;
>
> I'll address this ASAP.

I sent your POC and sample to the KiosTix people yesterday. At first,
they didn't acknowledge the leak because they thought you leaked the
old tickets.

Looking at their response, they will need a few days to mull things
over before they fix the vuln. Plus, they will probably have
difficulty grasping what your crazy multithreaded POC is actually
doing. So let's give them more time; they're web developers, not
super-savants.

-- 
Ammar Faizi

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-21 23:21   ` Ammar Faizi
@ 2023-04-21 23:41     ` Alviro Iskandar Setiawan
  2023-04-21 23:50       ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-21 23:41 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote:
> On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > > POC and sample attached.
> > >
> > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > > ./gwcfd2;
> >
> > I'll address this ASAP.
>
> I sent your POC and sample to the KiosTix people yesterday. At first,
> they didn't acknowledge the leak because they thought you leaked the
> old tickets.

Didn't they read the dump.txt file I sent? It looks new to me... Or
maybe I am the one who ate their sweet honeypot this time?

> Looking at their response, they will need a few days to mull things
> over before they fix the vuln. Plus, they will probably have
> difficulty grasping what your crazy multithreaded POC is actually
> doing. So let's give them more time; they're web developers, not
> super-savants.

Imagine what will happen if someone else outside GNU/Weeb finds the
vuln and posts it publicly. Hope they don't blame us in case that
happens.

-- Viro

[-- Attachment #2: endpoints.txt.gpg.asc --]
[-- Type: text/plain, Size: 11944 bytes --]

-----BEGIN PGP MESSAGE-----

hQEMA/Pg8IKP+bBOAQf/fsdIdg+fkkOh4HVfKEbEVJlP/xI7EnbOh6S3QYQuiabH
5AUawpW/WfMlun84A/GiEN8HLFOq+naHpQiHGDe3eLZoAcSiR4DYBSoEXn8iTnSb
zc4CUCXflKSsbYRmx2qu20uhcsLasNviDwpr+1bmp0rW2tt1tx7qkfugJvu/e/Oh
MA6FVF40dc/6hZ8Q1oLkannZ+P4wem0n9I20gRGwTH4pAU4Oc84RwbdMPFPhfXYh
/ugYUJ/9A/FuVlkfh7oi38sIN46y9zmI3QqsEpBhnvu2ar0IY5sWZRHw1aJU82CM
Ko/Jybv88IWgNzx1nZ2oW1OMPmWBwooCl1XXnupuJ9LtATFLN3xla+vsvgvWoc8h
/bYWLN63wd7H3zD/sOqqk3z6vytk3XNJYtL0UiMol6m9alXARoZnPSBOdG5aLH5V
OefIBqz7aRBkLJ8PhxITuLsIeks+h8/g5RonaaXKsECUs3tKOYAMGFBRTY595Pk0
BVeQ2VKxall8USd4r3nAKs5wYxnu1VB2eqTVPpzSLPMOy8lSC+v6nhaHhK62bUxA
1C4cCxu68HeDhE86hIXtl0vBFMFmfO7aVYAoS4LKUi8ICXNPoj8Z7/r9bXiJl5l3
omhhFzYXbFRDm0Ri84PnNTcP/3wQcYJFNg3gHTS9FLlbEGYCwGBrdmy0vCZcl37s
+76WJ8HwQxw5Eo/bkxcYWG2EXZqPvvLEjlB5II0qidrR29bmrimcg68UidQMXXhU
7yUdotfFuJXW0tkY7yu0zeXO2PGE8JJRpcUllI2Rjlq3YDLsozBiB3tIyo4dz47j
405X+URH3vtZTTdvSDQNbt/8OlQ9z0ZiL9fC2hUlCck0b2YnWlmYH7ra96KuSK3w
fmu1AHA3Y1OLDjoFZMebcs85kqFCc3HqevnF4/zF2jhmNqq+kJjsfl7+Gj/1HHPn
n0nEPHtaCOk//mNS0lA257/8D+NbWeIWCz5ZVc+sIspsEJbv43G0tfmOw2x2MCRL
kV1jvAe193SKFh/vRm3wuToo6qr5VaUCHwJ7vztmICPXOLAb5gS/ObATVTRY7+45
5nxRBtGODmaYjzHRGz7OJgW/77tKp9GvoBZF3d/+8G7EZACaqJTgm0AbTClXHF5W
PV14TeLuH8g7VSk5voL9WmHTmPgElSyLPLS7kNTwR4/JRiix2540WMU7QWkQE0Tm
GXlm51YgNmKRWABSdvB9KfrRisUh7asOG9OXCywuqBqodnRNKDdv1qZsNYLni8vS
aM5ZkOjwsbNXTc81ng6C4mCLBrxegDZUKs5peWQZl9kw09nDB15H4atxGh9ndQuP
4aVEra/uBlO2ULMelp0a6QZgmYFgO1iBo36Tf6XfCNsaubquFw+7/2L1lB8pXD7R
5mmRttNghPczBqO/5kTo8zwEYE6/ICAhC95u9NUAbNq0clcS9UW7RzIZu01JRgWq
6P9ADbG6s1ok4otdBEDbUHExpici4bkM91BFwrKDRQzMgVGUb6+5ujmzhjwk8TSN
TYBEYDo2ltBEOTT+OoaHEaOH3GyE9RSN/TxwilSk33qeMxYjb6MkxU0w+d8g0y3y
hVPs4hPQdYv/+si5eEk/bMHlYKPWZUW8dlDD87PuSUzHBYGf7mdikzly3Blz19EN
7mje0oa6JniQlTZteWO2aqMOiX/TfE9kZCCkMHeNVPuQ1yxhuSX2L2RJ5fpqU3rB
0vG0R/n0OK0F8KE9R/pKUlfPmlLUwaL43eOILJCbD5il5hHBnO4aXNgpVYipTQYw
cSTLyRwmlQWu0C2Ghm+HmwQyMuyTmetat1zFdBeQchtN08rlzcUH7m2d1TFeFeVB
HVfJnTcQnoIl69CFeIHSM0DZbSVDQTfUBlX868+knVpUwLrB0lkq14OHHMmLJelG
d8DoT5YvMDwAWY7+PDbRhPh4ngeQQAFxpDYrRJ9qqh+s+s5erV/HGu8izfDLQqak
MQBAqxDX23YQ1k5Xu1akCnKZtYLEhUTtHzmAEGP+I+Kw+DJzItiC0WZ6GgjaK/GJ
diFM6ysEry8BRXRemsUPuh56nVK5L+W6ykLOuVpMlipfLEShJkkAqHWVqDV7kDxF
cDSem4u7FIYJ2aVntS2GQCuYKAM+x1Dol1Uk9iYRJvhigIrPb4EqFxuHXlgWahp7
FohHsgvH4bWNs4zfzb8WSv98xbOo2J/jVv4J89AtBStn2aUWZ6HzO+EyYm1ENM06
o38HKMuPaFw5NsU2MSVKh23Q6/GCAxdgqBIIYuUrpXU94dhPPJHykSUFubFeHHP9
eNEYvwsTZMUmQRc6DrmXKdlm3We89uovqWTpA4rzXOdMlFqnJO1NTfyLyurnY1yh
5ADMCfYcuT3zrHq02eX6D0AArRe/jT8gncPobskbYptP5C6RQ1gDVV6GtzpxTAwJ
ezi9qgIHVyvravMcmUBB/i6KBlnJ2VIK+zFtYhuH2/6xYS2Rwi/x/a283NAhvkk/
376wGpmsMjOCKnx12Oy1616PLpCahWV5IJ6XOcs1rgnGmtTr8UVOMoxCfZ2b6LDn
lEeqWbfBJAfT17TZogvRzKziGmSJZzKSZiqJ4PjwMV5vYfn9gn9j39dllgvVSjHf
MG9CS5DQnWGEhvBL6UqoboQ7Ku22g716nVgiui+2WeC/hrax1vGupGfX4FDCjW5s
SM2TaPgvLVy0NoVE9p2NlW3REXkf8qpSGkxzR0+qyCMKFOx6yx/nkn42sRHM9s3D
VmHa+eRQDEYYxwSY+1pmfCEN37j/52TudYVfEO7LTaTYtZyl5X/NT1WUpq+a/c/R
GrcRBw4xYWw5Jpn07OcCjUDqj/b7p0rdpwkRSsKXYKYgsy0Uuxc+onpWRJlfC9bq
lhv6OR1QbV0Li1D/SXefK1IDTt8hPh0g/CsBruDbbX2Jg2hpOUn0qpfGKFLB5W34
6bo9hk13yXqHtne+hTnqbPJAVN2qR7NrpqHsFCSaBhkrw3p2voUjRLu6At5EICNa
5NnSUrFdmvJAUOXPqoOG4hLaY0+5I6SC9OsgQG+mjUTafN0PiWmsatNzBn+3eKgD
jMR4fNhqNlgvKtvuTw4te7JU7IWtMLd08dMLZ97JJ0Y9DxVjakU6SDZlhZU7AHHh
mgs22fQx+4Iod3EcHQRrlXiU+ts5kQc8VwLVFJqfOpEpZ9C+wvNKnC61GnJjD/S8
IOT2l9UYiCfrvzmA+UKkEVuaoXKW9QZyfP1Z6T+FlyxCSXvQ4VJ6MQF4//3avFg1
4MhV9+K2Q5TyeEM2PjY7p3KcXfXJuRE91jXorHmbgQnzXYveYDdEgScXKUcnU94e
RZ0ZOxSEgG1lc9L/Vx+615z5W/lDZHemTaqrg17pGEpb/yJV5DtBOjp6kJhV/qbf
4PiApxnqQMomGEv4BgDIsy9za4YE4XE7W7luBUhrzlwYKnsjrJagfIfUHQo6axp9
6OxLFHQraVaPyFiVEzTgV52D/vhMIZQ3UduHmghnbqtWOCY4yAhk9Rw/4D9ZB6oN
uJof5KN7luhU5kkeo1zGMn2eM8vZSRgAGWLTqCbCqdNVagH1WPCbDMs6emTLLPsI
P8joRhbocpGuQ1c2C3C7SwK2gkhcYwXZ7ORv8jn1YgDvLq7nPKyABb+DN8HvHo3Z
+5+IF9k2/jNAdOTUDptg9XgAEreZhAJQojYg9A0bCkIL3i/GtCij26fV+/ZdXvJ+
0/+3budREJUG4HtEP8iEbHZI3bK+vKwVzdLQT4kXeVcskD0erY3N5MwGo6lPJeTL
TJ4ddw9Aau6jGl0st8kTHJM+gnNHlYUE7v3DI3g5F7j4KxUV/0z1AipHEQ41CnVN
BFYqwh2v0mIRcOdPQd6N4Y3tPaDea4rvJ1gGilotEZ+pKkC5MAEQJANJME5/QMgR
J4wfbYWsBk1DLIb/4SB+KawNlUuK0exsFvYfo1LL9PUryBQEyUt7CYEHfqjQQeNK
nXxRDoebq95yNWfTtFXc54Xfjp1E3K/ceCh+iXEAZbnNqwWc90mQsROBudcVYFq6
6dQxzAD2lAw7nMZmq8umf52E2bVdoJD4jWvJxTokLIH8tcmG1gZpIpYaCoe/BfEI
gi6JJpoyQ0234aEWfNd07IN1Awdlq4kgQr69PjEs4dIlW7j6RxhhwAg0nT8W5mjI
RsZHMcsQjP8ir2zIHKVxa6kHAOd3QYVCqxYKQR5qmq+s8Jo+P3Q/ni0o3r+qJUo+
51k5vk+M7ixoSrj+MGcfc95ZskOD1isIwTPBg1iml6MVO+zzV7jnKOqGOvgJRJOH
0r+KoHMWZ6rIuqUiLraSmNeYfj9814ne2jLPjRzXHeuvYDcD6UVBAQeyNZ0GX6y9
Z6eiEkPaxRKLUx79W9CaMrcMb0a6APgv/Ihh9yJV8YD5/w//8xnhwbpSn5MmSeTL
hBRTjL5gmWl0ZlKRvjemxhULJs7qbq+wCuR5ig9VdDiwVpvP+vWNbbjbP8pe9zXU
I1Hc/HpTjhP+IJ9F9IfHhRcQJiBrnGKLJKBYof45i74XEwHGBoL9FLl2Qw6Vf5I1
TPtmvYwityoq+Bl+t7TnHKkh8zKd8Y0cRupX3H3v07hDtvC/wf9+ZY54alhNbwsQ
Iiq8ZPnZkdi5QbQlVhyuMTtOcGacjiQDp6mEvPW+Iy8PgfJ/+2jxSaqx2I0rPsD6
8ziv1ncuFqVXmwZO3OQaVoglTWssQ6XQBicg/oUVEm7bhK2K5BSaaaTRIXXWYH/q
EyxObiNBk4oz8itoJaL0E/GBhfbXmZ6z0Zi14oF3HcvaPqZ2ue6Q4cz+vOpyyylb
k7oHSmdVO/BZ5a8e8ajyKQhG5yPESqqe4Npf6SKzdKbh7m8ba8fO9NpT8TNCIYmQ
vhjuGDt8kg6BHD3UwM18E+YZvod9ECmvF9nj8gqIn3ywBxRKO/MzsJdAivVGexu7
v+B8XsJPardRuLUUHDNgzkRaTzYWidkIgcCeTWnCOloJ0ITuVGZ+ChDxsl8wzZET
qZhdsVlhzrXYw75Q1Ohv/mIKjpmmxYcIO03vSPRDYldsWhwdptGY4rUorvox+XeU
M6NiqKDwvT5n6U0NXSC/uSVygiJQ5m3C7WtPGHp2b4WgfvDaKgXZVBtnm3fe69yt
AbuMGK7cR55Me75mTKABXR2fwAtudCyrbuRVt9JoE7EPL4kq1Y2FomvmEVxjB4xT
bxnv8e8INCY5qm2CZcFG0YrDyqAAgj4Lr9kaM/poBd7updRN2moJTdJ673UwEz6n
OYwqQF4hhsfNmhqehjcJx2UvomnIIzF5T9kUYXTV2UePWtcWN0EBWRjpzcqGbA5Y
8oiVax0BtW5iZd3GW9XH0aIg2HbsaccRkRoXKm7B8cF1An7c8PK4RDqBmBOGCdtd
fOR6mkwi6EFfTp467nvb1tsMaZ345zKgdq+GrTGO1KjVlSnzkZnHbw/9HCHiSwJV
17tdWpjlR37nA2qW8NnadoQZISYEr+cQAyv/tzWMh59Ubd91Mv2nLKp4Qcy/S4PD
340FitFVhDccIkdaxs21PKUfwWP4WONlWVTA9ErGtYUThfy+nWI+1PBsvgW18uoO
0f9JNNbz5VnO4n312vWQPH29H6inEavW8qEYspzhuYesylC57W/4xdFc8jXGCO27
F1rAxEiTWtkcOtBQMf8nxv1tH+lES4GcFp/wnImNtVDAh2KIFw1Y2p/xf72Xl7x2
EQqBRJGsiWJGLRuQbhgRUa2exrc1n30+/PQ4m0J46Q1/WxFJKXOXu1klqnwY9fYg
cnSM5ebPLRYAZM/qkTMSerZqyd9dJp90AFnUWb5vG/fbEIDCkwkAoTB3b1sHo5hG
FcnkWYLVnpw5Ln8U2ZpO3p2UKMU0xMw667DxlzwADdB4Bj17Uph1gnp5MrAnFPxK
zMtC/pAOXrg3X4NvtRcqjKx+JVgShm9CRtUeT5/ly0+JhOVU81hryA2ll0M+fZHj
S7k4EiJpy8w0Lnkpx5vjfpsbOUYqo9CSMRP838tib4JNUaJuC90smUnCzWGVma+f
pe83R5kRBkuKN0sEss+q0w7hFATWmHufDb70kHov19jnzSb+VswpWgCYawfFA6pv
rbzu+TM69bPXNPrXIJOA3/H7lOlApW+mqYTpUMZM+ishT0aD1BT47wfqgTE5UyVF
aNQU6RnYmNif0X6pafAC5/PzohcDGLj2mfRmW5IhxydYUir7e8pGoajftf6Ug78j
Amj0MCsnjppT8wlHrbQIAwN9IW9Wef69A1taSnJB2g5xQ1IPdjC70sD28ITimvf9
AuXHkzE9elTFyB6VE3J1WxHbiPnLXceLGRuuYqVsloJ4qklozU4tJYOftRBUPy/4
oNwLiOlmM5/I196GmNEZTpnhQe9A1CMsTGqq22j/uT/o1U0auVHCRwdztCPrjJnl
VMVXQq4Ft5bPiio2PgX3MYiZoDUKKY9x2GBesCLX7LKFhcVcc689i8lZUjN90FkU
Yo2A5NQm/G2eyPKFZsfLSVPmAjX7k//YB+klrRjIbsVHNcnfSXnMYWoEZEXdcy1o
k33XidsHMsqo3rQ3ssqhMyK3On4yAHwkpwg8Izny6xzxgk1IBbk9yfPp5mX+xKNW
ka5vwS1NZi81dG3Z/OowlrAZJgxLZ9ShqWeEYGQVloKqUcEgTOmQQv/v4Ju2oFTG
nou0jodhALIjSUnx4AnI7/a2uu5NY9ZbuNGPFdXiqmANW4KaVAhHXk14frQ44xU8
qFrAXVMzfzOKsZiFPXG5aYj8+0LGecjguoXOKQZbWfn4dDsrK0YwlP15crh02rGp
+dEodxwcoLrlCdPB2pum6DaM4YrDNLzFhSFK7mzOG6FJDaisb+uonO/vD6hrUAW8
uoAc7lo7di4ZFH1Uy3bvTyT0wNJ0JYuoK2+lHuSKYWoMAZ84o9EFQ3qRtIxKO1gm
25Uf6bA6mJ2j2XbajPhh0zSwMb13LQeKgGV8SWlDgJjB/sc8UCn5GA96odYkD51k
5zRgpeIg4jsDv6GOfLhG1KQ+HgCwqNf+dA5rMiMXIJY1cV5KZ4uVt6AvBV+84LKw
B+zNhjTFRHlhdtB2lh+1S5vE7EqxZ6ObwLAeLEjeUdXioeJ4Djaj7L4nsAD4mHHW
gJgiAZNltsrK33IeaWIZ1OLSH4QqmmJ4ijKSy/ZOSo1yCTS+ozLxD5enCXku1Qmp
5sxg4Q2ApQTEFAkF8H4/4ILfz8HTx8ayQW16qnzGL07tDIL6CWXTkWY4lsVbBJZ0
1y0Xf4rqSWlZrER2/4dT7UJS035hiHlE9Gh4gnrvwot39a7vjYvwA50N+h1FfOYe
5Sc2ONyyZ5opLF8wsuxOEhISRmxxhjz1jkiDqN8yU8Gk9GIZ4pT1RzqSDfIsyBso
O9HRkowqCDxgX8L9uUi7ymglRCVdJL0F/x0yJ/BXcK3YbxdMSRTYc+CZfLGXhNi9
rn1YCHEYPG4e0TZGO65JIJWxnENxWr48pZ9jGoEQSOoyGsbT1SnYq0WqC4B8iQgh
ZMHIGHZO39IRD3LVggYH67K4KCT8TMZExwkNSUwzPDJT4XASWDl9/yEKfd+LX5CL
Dnzml60xp7T+TmJGUDhjLaXzUzqpfhLpv4xcp/EO3PVcn87befsC2UQs8/X3/bsd
6+/Bij5iRhFheXsJVByXmmfLL9MCtx2A84EuUJrOq7Z7W3vuT+S/la0zd36e0J+v
QLzxAXAohHE8NiHTWO7lQRjQZqJdcDqQi8a9AQkzvAZGJXpJUVGYZKoQSnQUH2Fl
iwJqGHBWjyj5g4vxY3tyXVywWEk/l3Fa78xqqTpqppzUg0/y/T0FWKjyOHeVhwQb
DT8ewG2Vl7/eLc2jHjTiYJU0ieX6gn8g33tOqDiqZkCh2oGh6uYITG7wFyK3l6dO
T0EgQlZ1MSXzd0A+d5leTI7A7HOzf+GlNJ82AvK51CqPtlsqgjAI+cqd8YuJkhwB
xSP4mI2p8e9KxiuujfnUNTjYAAaVtkEnZkrJ8zaKylUsx6po+dY3fSkG/3UaYwVN
jTxoO06CHmH5fSDVfCg4vg7jhSA0lpqYV4bpP12qTbJ3Z+3jJFAEzXPKRcwGT/OZ
qPao1DTl+ykcNs1EEugUcIDETXGj0ZqbZpW7cUDGkEnUV5KshUE0G4TmZaDijqEc
vnUGy1jwv8GVME/lHirvYmsXhQ8JVqJtq0tMilhkR9un3aiUZdZikrr86BE4eTrW
R5fEQ1ScwoiiFl/wifP4yOpcbLiyMZmqzH3A5kqstzr3w8wwnEV1BMHu70NVOduL
l2Lmja39Ap9MV4ynDtAbKmOZE340A/MS92DDolRzQ+OlVPFwjsdHyJ+dZqfSAaea
ePfZDLwwW+0b+vdZfLV+hiKVgDF+cYZIYWsGh+jpQDQRgB1Q278ttiw7riZcS268
GvG0QgHwwJjaeDl6M5exT/wM8qlDwqWrYI37b8DVIWqA7M2f53wOxb+prxF6Zrvr
HKcOA2rnBRZjiOoDWhSBvS43ZEdIHqZw5HboHSpdxjH4GKDYF7iHApRJgKfoK81g
uS+Nr9eyvGIsbqdXIL2oHbzX1+xlMwuoWURl1e5KmkkfFMty6pp3pcMKtougwN1J
s4ROQI0m8ldIx9GlBb8OodFCc6qckGfgPs8L4+gz0247mmNbYHdx1QZcP9JTBjpn
3XUiKCotdY7zo8xYu7Ha33rb4u7acEnpqnBfU3NkVd5BpHjLc9mNdxULE2jActCu
tJw0T27C9ZB0HN9dow1pJt91mHbAZXCC1g6Pzn7jtQtDPJ0ff49U5ONuBdRWUxoW
MRMqyNb3G1DoLJq48eGOvaUdQZcfxpZZeyYZPoSXpSgnLzjWHw0DM1FLpdXCjnZP
AdbTNzVBeoxKXEyJcsL3fxw6vZo4BzxDw2f/3zD2xArVVCgh6uldvUIBPit5Ecgj
VGFj3tiqsz46Ur0Tok6KQGrPnlCjlUK4Xri6GsRkiZLYl0K3L40GLH9vH+CNuEou
L14uf4fYEjORBLEYbRCDv3b2vy6qY0TQM6fn2SsK+JAyxmX0a7mbu0kNOB8ETKSo
hN/g1OkQvFnOwMSzBMLNw+B6qG2fCOdKXiWSCgzH3hH91izJnstSSHyub4Hq+D+2
dnG73H02zaepRhOyINAIWnLIruJL5CnbSOhIdRa/w2Z71Zhg6R0eAJsF+ettKnp0
lP/HOvHmhZqVFVByRqzgulyZmJp62/4l5Bq9M8o+8XvKqXJ7Hcu+vlHKmSm1S/AI
qNJEpFEV/oURyv62GFnoLROacNCeXwZaHVocL15/LCN2Cz0N71K85+xMxpno33KL
jiMPEUPlNLVcy9UyZDfO2Tokkv5t3baCiMmzsU+gKxV8GctouYzj49bMlbCEcQL/
qTQ55UVpFTKi2YxPZ1FI2B/9+YWArFxJuDQ/mJq/AFzKfS2XB+cl5ieWOV1iTqdR
4ZLcURAtJjLqK2RhUsmpPGsij3dhgZkpiK3PXERX8cLDlNn5lVVMZY8Mn5+lx7hB
VIAGu+Ga2TLdJobQdq+OC5x5gecTWvXSj1Xn6OGdYTJuRhxk8mDM3MXQn80Ld5G7
6jpgjC5AZZSwKV2fPVB5/4/6jw9kTWscoljGEl5Jr+VIZCkaYgD6sqVr9D19wGXn
QD1snGVhETj27Nwd3m828YP2ipeKbHV+17AyHCZaqngNEM8a68PHKBT/vLwjYWAl
c1f/EXjVmntqSquYlqCnnGBMdGuBcqYbN4BOrfy3ZJ+m6AqIvUmRfFADfDz/h1bI
LWTuz9S17aYOQSzAhmB+2Ma+8o0SnwgmTGLt/TGxpLg2LpGTll5nCICVRCBpENdt
apEFb3IRoXKkbiG5eloes60r/bC49Lag2yEH2sOs2owBEDPB37n0FjEMdY1eLjWF
cjqWotXv6zXqJu5NJhNEMlQXO3EO+XFKNAi3BsQnpWXREyDr65inE00lMcMLzfSy
Y7HZ5+YjkBvypTeUZkaa1A2X+0M/MOjg/lcM00xBu9XOFEFiB6zFqmnNV17gaMyK
jLK+KhQYMfLtg9OJZwFIF/RdApeZXs1liEzhY+5GvvK3TuiyYdFp4S6OUlTaPkk4
VCA5NpsUFgSN3JcXIvT+VyW2VHCJbEInrZjmPcZwTWSM5dvYJ0VX0meMoHqmlDTJ
8yNnPpSZee9k1ZEGxovfOKZ5WRElVJgTC7TTiErjAu0hoMZ6yDFiwmahQMDFX6+o
5rWUopoWLrChYHUcD90+veT9NODCgmPMRrxw9U/oQq/jSJqbuvx64fmI/dOHyHY5
gcTBfETUM91DCUH14iYruQVbawi89hZuO/LU1hMHKvFKmGxB7NqWNMFM2iB10C7L
YmfJr0Nuy7Gaq+IhkNa/7preSgoY5K15oO0SbnnilUXxZIbzn6gKmxsEaf6HRdAb
FeiyFO3kcKEctBZqe5pSi08xPxYzQDP7th1gIC0ytAGpixrdXrrM5OswjuDBGDsB
wWjPcj44XVN6TV9J4B0F0Ko8dCsNbBdirVzD0q0vhxu4fSqFB+oOycY0fdLrrrR9
1mgJHKbWZgqTZE0FYeAEuBFiSn6J7MNehKX5ZnfwHP56NeWZMFELyFGrVuH5nBoO
mGGKWAoIrVGCSCyHAWWfdpyXjMDyZlMLNGNOI6WfI5y8lljM34M3c/OE0ObRYQmc
Vgtkv29Ie+GkhUaYVfcHBMaVhlS1XeJHIJLUZWEMfpNRZ7kr5EkqdWllSuyjDnO/
0rbzo7I+ueYsSyi5SZWFJ7koOG0oKXGbNYKs9F4yxmYUwHmwgg9lhi29H4h5VLuB
ohfSzgtEXxMksViyMc5Ypwv8wWuQp+pgQGFCG1dx+gVcmvrYOtm1vRtX44w/kX3q
E0O7Ti0VxgZvSMyY5WgD5H9ezQSzhbTV8deoroCG28PR1WMqNvPiDfKz9EiYDg+A
ElKpXdJnSUdBDQPCqlmetlDiiyO7XEmGgJiqRDBUiluDgoG4aD/GDQ1cQqJxWH7D
kWC6sf4CcN5oc/JQrAuaW/kRSH13JsdN6UXaZCtr/9oc6rV7szb5ViqmYoFKF38/
F0h0khQpfJ+vIqQpXEWholP4eaaitUDqi8eDjK6m0q0U0sMEEEhloSly5z89FowC
jkcucN8zBsV6D5qNGy9wNoFd1fferwnJd3NlsZWoMxoAoR3TfTUxyorAoqEnn7vA
OfEGA7k842bCzxK+OiVlnPUIYmQHhRxkNItrnnVJ80x2KzUoYi8fRjstbw871Ty6
qEj721Z5e4IALQWWxFJVJBR4AE6SvpWezBz3+KGQio2kiwYUbOVD3M6tYvcI5i5V
rpzpNzNeD8t13AEfO3RhkCTAcvrXUk6Ya+mD1WxJlx4Q7dBtlZ45lTtX/HiyLn7f
7AT3TxpuTjheWOGnNIXfUpgUPYzH0Yv/wRTN6TmSJZIMsz8jE09ISux2Zu1oFaZ5
epS9GNlqpVTpCPyPBDhFxhGLxUd/5OVgiwOjTa2GECLoc+35NK8Yglku6Ps19Zr+
4J+XOW5O68ihEv9id72S1dLCAPFd9Goc2rHISgsUbmjf56wNK0L2dTDqFFBrWGKi
C6C66z/lbh3Ww1fBnFdcZKlmszUBF9pXmshrTHXiEBgqw0jyjzOQIbLMuTwuxvaP
DoL3HWHYIEF35pU2Xpl15v28obbF9oYqBeJfteLBt7zIeli2DIVkHkZ+CpjD0mpP
Wt7TdUUDw7BR9t+5zdC2bq0EnQGL5a4NnPKD3hTwM6YHNQCeEA==
=EEos
-----END PGP MESSAGE-----

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-21 23:41     ` Alviro Iskandar Setiawan
@ 2023-04-21 23:50       ` Ammar Faizi
  2023-04-22  0:09         ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-21 23:50 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote:
> > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > > > POC and sample attached.
> > > >
> > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > > > ./gwcfd2;
> > >
> > > I'll address this ASAP.
> >
> > I sent your POC and sample to the KiosTix people yesterday. At first,
> > they didn't acknowledge the leak because they thought you leaked the
> > old tickets.
>
> Didn't they read the dump.txt file I sent? It looks new to me... Or
> maybe I am the one who ate their sweet honeypot this time?

No, I don't think that's a honeypot. I just confirmed that my new
tickets that already use UUIDv4 are in your dump too. So it's legit;
they just didn't understand what you're trying to inform.

> > Looking at their response, they will need a few days to mull things
> > over before they fix the vuln. Plus, they will probably have
> > difficulty grasping what your crazy multithreaded POC is actually
> > doing. So let's give them more time; they're web developers, not
> > super-savants.
>
> Imagine what will happen if someone else outside GNU/Weeb finds the
> vuln and posts it publicly. Hope they don't blame us in case that
> happens.

That's a real problem for us too.

-- 
Ammar Faizi

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-21 23:50       ` Ammar Faizi
@ 2023-04-22  0:09         ` Alviro Iskandar Setiawan
  2023-04-22  0:18           ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  0:09 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote:
> > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote:
> > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > > > > POC and sample attached.
> > > > >
> > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > > > > ./gwcfd2;
> > > >
> > > > I'll address this ASAP.
> > >
> > > I sent your POC and sample to the KiosTix people yesterday. At first,
> > > they didn't acknowledge the leak because they thought you leaked the
> > > old tickets.
> >
> > Didn't they read the dump.txt file I sent? It looks new to me... Or
> > maybe I am the one who ate their sweet honeypot this time?
>
> No, I don't think that's a honeypot. I just confirmed that my new
> tickets that already use UUIDv4 are in your dump too. So it's legit;
> they just didn't understand what you're trying to inform.

Doubt, did you talk to a dev or a manager? I guess you were talking to
a manager who doesn't understand the technical stuff behind this.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  0:09         ` Alviro Iskandar Setiawan
@ 2023-04-22  0:18           ` Ammar Faizi
  2023-04-22  0:29             ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  0:18 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote:
> > On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote:
> > > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote:
> > > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> > > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > POC and sample attached.
> > > > > >
> > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > > > > > ./gwcfd2;
> > > > >
> > > > > I'll address this ASAP.
> > > >
> > > > I sent your POC and sample to the KiosTix people yesterday. At first,
> > > > they didn't acknowledge the leak because they thought you leaked the
> > > > old tickets.
> > >
> > > Didn't they read the dump.txt file I sent? It looks new to me... Or
> > > maybe I am the one who ate their sweet honeypot this time?
> >
> > No, I don't think that's a honeypot. I just confirmed that my new
> > tickets that already use UUIDv4 are in your dump too. So it's legit;
> > they just didn't understand what you're trying to inform.
> 
> Doubt, did you talk to a dev or a manager? I guess you were talking to
> a manager who doesn't understand the technical stuff behind this.

To both of them, actually. Initially, I was talking to the "head of
sales & partnetship" person. Then she created a WA group where I
directly talk to the dev.

[12:50 PM, 4/21/2023] Priska Narinda: Halo mas amar @Ammar Faizi , ini ada perwakilan dari IT kiostix ada mas ali @Ali Reza Y ya
[12:50 PM, 4/21/2023] Priska Narinda: Boleh kita komunikasi disini yaa
[12:50 PM, 4/21/2023] Priska Narinda: Biar gak berenti dan lama di saya nih
...
[12:52 PM, 4/21/2023] Priska Narinda: Mas @Ali Reza Y ini penemuan dari tim mas amar ya.. terkait bug kiostix… mungkin bisa di tanggapi prosesnya ya
[12:52 PM, 4/21/2023] Ammar Faizi: Salam kenal mas @Ali Reza Y. Saya Ammar Faizi dari GNU/Weeb. Ada tanggapan terkait pesan di atas?
[12:53 PM, 4/21/2023] Priska Narinda: Yes tunggu jawaban dr ali ya
[1:00 PM, 4/21/2023] Ali Reza Y: Halo mas..boleh saya bawa diskusi dulu ke tim kita ya mas
[1:02 PM, 4/21/2023] Ammar Faizi: Oke.
[1:06 PM, 4/21/2023] Ali Reza Y: mungkin ada hal lainnya lagi mas biar kita juga bisa bahas internal sekalian
[1:07 PM, 4/21/2023] Ammar Faizi: Belum ada. Nanti akan terus saya update ke sini kalau ada penemuan lain.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  0:18           ` Ammar Faizi
@ 2023-04-22  0:29             ` Alviro Iskandar Setiawan
  2023-04-22  0:41               ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  0:29 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 7:18 AM Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote:
> > > On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote:
> > > > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote:
> > > > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> > > > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > POC and sample attached.
> > > > > > >
> > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > > > > > > ./gwcfd2;
> > > > > >
> > > > > > I'll address this ASAP.
> > > > >
> > > > > I sent your POC and sample to the KiosTix people yesterday. At first,
> > > > > they didn't acknowledge the leak because they thought you leaked the
> > > > > old tickets.
> > > >
> > > > Didn't they read the dump.txt file I sent? It looks new to me... Or
> > > > maybe I am the one who ate their sweet honeypot this time?
> > >
> > > No, I don't think that's a honeypot. I just confirmed that my new
> > > tickets that already use UUIDv4 are in your dump too. So it's legit;
> > > they just didn't understand what you're trying to inform.
> >
> > Doubt, did you talk to a dev or a manager? I guess you were talking to
> > a manager who doesn't understand the technical stuff behind this.
>
> To both of them, actually. Initially, I was talking to the "head of
> sales & partnetship" person. Then she created a WA group where I
> directly talk to the dev.

mending turu :/

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  0:29             ` Alviro Iskandar Setiawan
@ 2023-04-22  0:41               ` Ammar Faizi
  2023-04-22  0:54                 ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  0:41 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote:
> mending turu :/

Good point! For now, I am going to do my daily morning ritual and memory
consolidation __("called sleep 😴😴😴")__.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  0:41               ` Ammar Faizi
@ 2023-04-22  0:54                 ` Alviro Iskandar Setiawan
  2023-04-22  1:01                   ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  0:54 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 7:41 AM Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote:
> > mending turu :/
>
> Good point! For now, I am going to do my daily morning ritual and memory
> consolidation __("called sleep 😴😴😴")__.

I wish I could, still meeting my family members. Idul fitri is a
tiring holiday, especially for a no-life-weeb (like me).

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  0:54                 ` Alviro Iskandar Setiawan
@ 2023-04-22  1:01                   ` Ammar Faizi
  2023-04-22  2:35                     ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  1:01 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 07:54:05AM +0700, Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 7:41 AM Ammar Faizi wrote:
> > On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote:
> > > mending turu :/
> >
> > Good point! For now, I am going to do my daily morning ritual and memory
> > consolidation __("called sleep 😴😴😴")__.
> 
> I wish I could, still meeting my family members. Idul fitri is a
> tiring holiday, especially for a no-life-weeb (like me).

Eat it!!!
(and have fun)

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  1:01                   ` Ammar Faizi
@ 2023-04-22  2:35                     ` Ammar Faizi
  2023-04-22  6:02                       ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  2:35 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 08:01:36AM +0700, Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 07:54:05AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sat, Apr 22, 2023 at 7:41 AM Ammar Faizi wrote:
> > > On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote:
> > > > mending turu :/

They just said they have fixed the vuln. Please verify that it's
actually fixed, then you can sleep well.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  2:35                     ` Ammar Faizi
@ 2023-04-22  6:02                       ` Alviro Iskandar Setiawan
  2023-04-22  6:38                         ` Ammar Faizi
  2023-04-22 22:58                         ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan
  0 siblings, 2 replies; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  6:02 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote:
> They just said they have fixed the vuln. Please verify that it's
> actually fixed, then you can sleep well.

Looks good to me. Now the endpoint returns {"success":false}.

Acked-by: Alviro Iskandar Setiawan <[email protected]>

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  6:02                       ` Alviro Iskandar Setiawan
@ 2023-04-22  6:38                         ` Ammar Faizi
  2023-04-22  6:53                           ` Alviro Iskandar Setiawan
  2023-04-22 22:58                         ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan
  1 sibling, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  6:38 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 01:02:49PM +0700, Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote:
> > They just said they have fixed the vuln. Please verify that it's
> > actually fixed, then you can sleep well.
> 
> Looks good to me. Now the endpoint returns {"success":false}.
> 
> Acked-by: Alviro Iskandar Setiawan <[email protected]>

Thanks for testing. I'll report it.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  6:38                         ` Ammar Faizi
@ 2023-04-22  6:53                           ` Alviro Iskandar Setiawan
  2023-04-22  7:49                             ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  6:53 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 1:38 PM Ammar Faizi wrote:
> Thanks for testing. I'll report it.

See you guys in Jakarta.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Telegram bot? (was: Re: CF ticketing system is still vulnerable)
  2023-04-22  6:53                           ` Alviro Iskandar Setiawan
@ 2023-04-22  7:49                             ` Ammar Faizi
  2023-04-22  7:52                               ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  7:49 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 01:53:47PM +0700, Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 1:38 PM Ammar Faizi wrote:
> See you guys in Jakarta.

Strictly speaking, Tangerang. But yeah, touching Jakarta is inevitable.
Looking forward to it!

[ - Moving Moe to Bcc (check list if you're interested).
  - Adding Irvan to Cc. ]

Move on.

I plan to continue the bot development, are you done with the pending
pull requests? It seems it's a good time to get it deployed soon.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: Telegram bot? (was: Re: CF ticketing system is still vulnerable)
  2023-04-22  7:49                             ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi
@ 2023-04-22  7:52                               ` Alviro Iskandar Setiawan
  2023-04-22  7:59                                 ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  7:52 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 2:49 PM Ammar Faizi wrote:
>
> Strictly speaking, Tangerang. But yeah, touching Jakarta is inevitable.
> Looking forward to it!

Right, my mistake.

> I plan to continue the bot development, are you done with the pending
> pull requests? It seems it's a good time to get it deployed soon.

Almost forgot. Good time to start that again. I took a break with that
honestly. Let me get it continued again today. Not bad for holiday
activities.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: Telegram bot? (was: Re: CF ticketing system is still vulnerable)
  2023-04-22  7:52                               ` Alviro Iskandar Setiawan
@ 2023-04-22  7:59                                 ` Ammar Faizi
  2023-04-22  8:00                                   ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22  7:59 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 02:52:42PM +0700, Alviro Iskandar Setiawan wrote:
> Let me get it continued again today.

Did you push your work to an online git tree? I am not going to
directly merge it, but just want to see the changes.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: Telegram bot? (was: Re: CF ticketing system is still vulnerable)
  2023-04-22  7:59                                 ` Ammar Faizi
@ 2023-04-22  8:00                                   ` Alviro Iskandar Setiawan
  0 siblings, 0 replies; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22  8:00 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 2:59 PM Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 02:52:42PM +0700, Alviro Iskandar Setiawan wrote:
> > Let me get it continued again today.
>
> Did you push your work to an online git tree? I am not going to
> directly merge it, but just want to see the changes.

Still tmp commits, need rebase and real commit message of course
https://github.com/alviroiskandar/GNUWeebBot2/tree/dev (last touched: last week)

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22  6:02                       ` Alviro Iskandar Setiawan
  2023-04-22  6:38                         ` Ammar Faizi
@ 2023-04-22 22:58                         ` Alviro Iskandar Setiawan
  2023-04-22 23:06                           ` Ammar Faizi
  1 sibling, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22 22:58 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sat, Apr 22, 2023 at 1:02 PM Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote:
> > They just said they have fixed the vuln. Please verify that it's
> > actually fixed, then you can sleep well.
>
> Looks good to me. Now the endpoint returns {"success":false}.

Back to this again, I am not sure if the fix is proper. I get HTTP 500
when accessing it from libcurl in my C program:

> * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
> * Using Stream ID: 1 (easy handle 0x7f19f0000b70)
> > GET /<URI> HTTP/2
> > Host: kiostix.com
> > user-agent: curl/7.81.0
> > accept: */*
>
> * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
> < HTTP/2 500
> < content-type: application/json; charset=utf-8
> < content-length: 17
> < date: Sat, 22 Apr 2023 22:45:27 GMT
> < access-control-allow-credentials: true
> < access-control-allow-origin: *
> < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT
> < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version
> < etag: "zngjl94gbkh"
> < vary: Accept-Encoding
> < x-cache: Error from cloudfront
> < via: 1.1 6f91c725c3d4f2326304347075e516a4.cloudfront.net (CloudFront)
> < x-amz-cf-pop: SIN2-P1
> < x-amz-cf-id: _2tJGxIIYax9O0HQ6DexdXe1EYH_u8_Ow1d5Z6N2G9mGSRU2RRGkKw==
> <
> * Connection #0 to host kiostix.com left intact
> {"success":false}

But if I access it from curl cmd:

> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > GET /<URI> HTTP/2
> > Host: kiostix.com
> > user-agent: curl/7.81.0
> > accept: */*
> >
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> < HTTP/2 200
> < content-type: application/json; charset=utf-8
> < content-length: 167
> < date: Thu, 20 Apr 2023 23:12:21 GMT
> < access-control-allow-credentials: true
> < access-control-allow-origin: *
> < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT
> < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version
> < etag: "d65958y5yu4n"
> < vary: Accept-Encoding
> < x-cache: RefreshHit from cloudfront
> < via: 1.1 8d08de7fce6cdb6f648bade508fa2926.cloudfront.net (CloudFront)
> < x-amz-cf-pop: SIN2-P1
> < x-amz-cf-id: 3CtjmR6LPdqP4wVerazXS7DVYSVaPdEYQ609h-Uczw9UgjeQ6W-BFw==
> < age: 171251
> <
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Connection #0 to host kiostix.com left intact
> {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}

That means it's not fixed. Also, HTTP 500 indicates internal server
error. It seems something goes very wrong with their fix attempt. So
yes, it's still vulnerable when I write this email.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22 22:58                         ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan
@ 2023-04-22 23:06                           ` Ammar Faizi
  2023-04-22 23:11                             ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22 23:06 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 05:58:09AM +0700, Alviro Iskandar Setiawan wrote:
> Back to this again, I am not sure if the fix is proper. I get HTTP 500
> when accessing it from libcurl in my C program:
> 
[...]
> > {"success":false}
> 
> But if I access it from curl cmd:
[...]
> > {"success":true,"etickets":[<snip>]}
>
> That means it's not fixed. Also, HTTP 500 indicates internal server
> error. It seems something goes very wrong with their fix attempt. So
> yes, it's still vulnerable when I write this email.

In other words, they only block your POC, but the endpoint is still
accessible if you use another program?

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22 23:06                           ` Ammar Faizi
@ 2023-04-22 23:11                             ` Alviro Iskandar Setiawan
  2023-04-22 23:23                               ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22 23:11 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 6:06 AM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 05:58:09AM +0700, Alviro Iskandar Setiawan wrote:
> > Back to this again, I am not sure if the fix is proper. I get HTTP 500
> > when accessing it from libcurl in my C program:
> >
> [...]
> > > {"success":false}
> >
> > But if I access it from curl cmd:
> [...]
> > > {"success":true,"etickets":[<snip>]}
> >
> > That means it's not fixed. Also, HTTP 500 indicates internal server
> > error. It seems something goes very wrong with their fix attempt. So
> > yes, it's still vulnerable when I write this email.
>
> In other words, they only block your POC, but the endpoint is still
> accessible if you use another program?

Yes. But I'm not sure what the difference is. I'm fully confident that
the header requests I sent via my POC and via curl cmd are the same.

Summary:
- Access from browser: {"success":false}
- Access from my POC: {"success":false}
- Access from XHR (real login with cookies):  {"success":true,
"etickets": [...]}
- Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}

I guess it's something about CDN. But I don't have enough info to make
a conclusion about the technical details.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22 23:11                             ` Alviro Iskandar Setiawan
@ 2023-04-22 23:23                               ` Alviro Iskandar Setiawan
  2023-04-22 23:36                                 ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-22 23:23 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> Summary:
> - Access from browser: {"success":false}
> - Access from my POC: {"success":false}
> - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}

Using real login with cookies can only get tickets that the user owns.
But if I remove the cookies, it can get any ticket just like
previously (from curl cmd).

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22 23:23                               ` Alviro Iskandar Setiawan
@ 2023-04-22 23:36                                 ` Ammar Faizi
  2023-04-23  1:28                                   ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-22 23:36 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > Summary:
> > - Access from browser: {"success":false}
> > - Access from my POC: {"success":false}
> > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> 
> Using real login with cookies can only get tickets that the user owns.
> But if I remove the cookies, it can get any ticket just like
> previously (from curl cmd).

Confirmed. I can reproduce it.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-22 23:36                                 ` Ammar Faizi
@ 2023-04-23  1:28                                   ` Alviro Iskandar Setiawan
  2023-04-23  1:31                                     ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-23  1:28 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > Summary:
> > > - Access from browser: {"success":false}
> > > - Access from my POC: {"success":false}
> > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> >
> > Using real login with cookies can only get tickets that the user owns.
> > But if I remove the cookies, it can get any ticket just like
> > previously (from curl cmd).
>
> Confirmed. I can reproduce it.

This looks like a CDN cache to me. Using cookies will provoke cache
misses as the CDN can't decide anything about authentication. Thus, it
ends up accessing the origin server to get the response.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  1:28                                   ` Alviro Iskandar Setiawan
@ 2023-04-23  1:31                                     ` Alviro Iskandar Setiawan
  2023-04-23  1:38                                       ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-23  1:31 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > Summary:
> > > > - Access from browser: {"success":false}
> > > > - Access from my POC: {"success":false}
> > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > >
> > > Using real login with cookies can only get tickets that the user owns.
> > > But if I remove the cookies, it can get any ticket just like
> > > previously (from curl cmd).
> >
> > Confirmed. I can reproduce it.
>
> This looks like a CDN cache to me. Using cookies will provoke cache
> misses as the CDN can't decide anything about authentication. Thus, it
> ends up accessing the origin server to get the response.

With cookies:
> < x-cache: Error from cloudfront
> < age: 2
> {"success":false}

Without cookies:
> < x-cache: RefreshHit from cloudfront
> < age: 181004
> {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  1:31                                     ` Alviro Iskandar Setiawan
@ 2023-04-23  1:38                                       ` Ammar Faizi
  2023-04-23  1:47                                         ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-23  1:38 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > Summary:
> > > > > - Access from browser: {"success":false}
> > > > > - Access from my POC: {"success":false}
> > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > >
> > > > Using real login with cookies can only get tickets that the user owns.
> > > > But if I remove the cookies, it can get any ticket just like
> > > > previously (from curl cmd).
> > >
> > > Confirmed. I can reproduce it.
> >
> > This looks like a CDN cache to me. Using cookies will provoke cache
> > misses as the CDN can't decide anything about authentication. Thus, it
> > ends up accessing the origin server to get the response.
> 
> With cookies:
> > < x-cache: Error from cloudfront
> > < age: 2
> > {"success":false}
> 
> Without cookies:
> > < x-cache: RefreshHit from cloudfront
> > < age: 181004
> > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}

Great, good point!

And "age: 181004" means the page you see has been 50.27 hours old. So we
can say that they've fixed the vuln, but their CDN is still caching
the vuln response.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  1:38                                       ` Ammar Faizi
@ 2023-04-23  1:47                                         ` Alviro Iskandar Setiawan
  2023-04-23  1:53                                           ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-23  1:47 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > > Summary:
> > > > > > - Access from browser: {"success":false}
> > > > > > - Access from my POC: {"success":false}
> > > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > > >
> > > > > Using real login with cookies can only get tickets that the user owns.
> > > > > But if I remove the cookies, it can get any ticket just like
> > > > > previously (from curl cmd).
> > > >
> > > > Confirmed. I can reproduce it.
> > >
> > > This looks like a CDN cache to me. Using cookies will provoke cache
> > > misses as the CDN can't decide anything about authentication. Thus, it
> > > ends up accessing the origin server to get the response.
> >
> > With cookies:
> > > < x-cache: Error from cloudfront
> > > < age: 2
> > > {"success":false}
> >
> > Without cookies:
> > > < x-cache: RefreshHit from cloudfront
> > > < age: 181004
> > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}
>
> Great, good point!
>
> And "age: 181004" means the page you see has been 50.27 hours old. So we
> can say that they've fixed the vuln, but their CDN is still caching
> the vuln response.

Right, the only problem here is the tickets served by the CDN cache
are still accessible. They must reset all tickets again. Otherwise,
their attempt to protect CF tickets is in vain.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  1:47                                         ` Alviro Iskandar Setiawan
@ 2023-04-23  1:53                                           ` Ammar Faizi
  2023-04-23  3:33                                             ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-23  1:53 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote:
> > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > > > Summary:
> > > > > > > - Access from browser: {"success":false}
> > > > > > > - Access from my POC: {"success":false}
> > > > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > > > >
> > > > > > Using real login with cookies can only get tickets that the user owns.
> > > > > > But if I remove the cookies, it can get any ticket just like
> > > > > > previously (from curl cmd).
> > > > >
> > > > > Confirmed. I can reproduce it.
> > > >
> > > > This looks like a CDN cache to me. Using cookies will provoke cache
> > > > misses as the CDN can't decide anything about authentication. Thus, it
> > > > ends up accessing the origin server to get the response.
> > >
> > > With cookies:
> > > > < x-cache: Error from cloudfront
> > > > < age: 2
> > > > {"success":false}
> > >
> > > Without cookies:
> > > > < x-cache: RefreshHit from cloudfront
> > > > < age: 181004
> > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}
> >
> > Great, good point!
> >
> > And "age: 181004" means the page you see has been 50.27 hours old. So we
> > can say that they've fixed the vuln, but their CDN is still caching
> > the vuln response.
> 
> Right, the only problem here is the tickets served by the CDN cache
> are still accessible. They must reset all tickets again. Otherwise,
> their attempt to protect CF tickets is in vain.

I have posted several questions regarding this to the KiosTix people.
Will send you an update later.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  1:53                                           ` Ammar Faizi
@ 2023-04-23  3:33                                             ` Alviro Iskandar Setiawan
  2023-04-23  3:36                                               ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-23  3:33 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 8:53 AM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote:
> > > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> > > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > Summary:
> > > > > > > > - Access from browser: {"success":false}
> > > > > > > > - Access from my POC: {"success":false}
> > > > > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > > > > >
> > > > > > > Using real login with cookies can only get tickets that the user owns.
> > > > > > > But if I remove the cookies, it can get any ticket just like
> > > > > > > previously (from curl cmd).
> > > > > >
> > > > > > Confirmed. I can reproduce it.
> > > > >
> > > > > This looks like a CDN cache to me. Using cookies will provoke cache
> > > > > misses as the CDN can't decide anything about authentication. Thus, it
> > > > > ends up accessing the origin server to get the response.
> > > >
> > > > With cookies:
> > > > > < x-cache: Error from cloudfront
> > > > > < age: 2
> > > > > {"success":false}
> > > >
> > > > Without cookies:
> > > > > < x-cache: RefreshHit from cloudfront
> > > > > < age: 181004
> > > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}
> > >
> > > Great, good point!
> > >
> > > And "age: 181004" means the page you see has been 50.27 hours old. So we
> > > can say that they've fixed the vuln, but their CDN is still caching
> > > the vuln response.
> >
> > Right, the only problem here is the tickets served by the CDN cache
> > are still accessible. They must reset all tickets again. Otherwise,
> > their attempt to protect CF tickets is in vain.
>
> I have posted several questions regarding this to the KiosTix people.
> Will send you an update later.

Also, ask them, when do they delete the old tickets that use unix
time? Because they are all still accessible even with cache miss
responses.

-- Viro

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  3:33                                             ` Alviro Iskandar Setiawan
@ 2023-04-23  3:36                                               ` Ammar Faizi
  2023-04-23  3:48                                                 ` Moe
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-23  3:36 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 10:33:10AM +0700, Alviro Iskandar Setiawan wrote: 
> Also, ask them, when do they delete the old tickets that use unix
> time? Because they are all still accessible even with cache miss
> responses.

I did ask the same question. It's unclear when. They said:

[7:57 AM, 4/21/2023] Priska Narinda: Halo mas minal aidin walfaidzin yaaa… 🙏🏼🙏🏼
[7:57 AM, 4/21/2023] Priska Narinda: Yess pasti kita hapus bertahap yaaa

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  3:36                                               ` Ammar Faizi
@ 2023-04-23  3:48                                                 ` Moe
  2023-04-23  3:56                                                   ` Ammar Faizi
  2023-04-23  5:35                                                   ` Ammar Faizi
  0 siblings, 2 replies; 36+ messages in thread
From: Moe @ 2023-04-23  3:48 UTC (permalink / raw)
  To: Ammar Faizi, Alviro Iskandar Setiawan; +Cc: GNU/Weeb Mailing List

[-- Attachment #1: Type: text/html, Size: 598 bytes --]

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  3:48                                                 ` Moe
@ 2023-04-23  3:56                                                   ` Ammar Faizi
  2023-04-23  5:23                                                     ` Alviro Iskandar Setiawan
  2023-04-23  5:35                                                   ` Ammar Faizi
  1 sibling, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-23  3:56 UTC (permalink / raw)
  To: Moe; +Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 03:48:27AM +0000, Moe wrote:
> I think they just don't take this seriously.
>
> They always say that they have fixed known bugs without confirming it
> first :v

Yeah, that's what I hate about KiosTix. They don't seem to be competent
in addressing security report. We don't even see any mitigation or
immediate hot patch to address the vuln.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  3:56                                                   ` Ammar Faizi
@ 2023-04-23  5:23                                                     ` Alviro Iskandar Setiawan
  2023-04-23  5:28                                                       ` Ammar Faizi
  0 siblings, 1 reply; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-23  5:23 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Moe, GNU/Weeb Mailing List

[-- Attachment #1: Type: text/plain, Size: 106 bytes --]

This is just a test to send an HTML email. Want to see how bad it is when
displayed on the lore.

-- Viro

[-- Attachment #2: Type: text/html, Size: 163 bytes --]

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  5:23                                                     ` Alviro Iskandar Setiawan
@ 2023-04-23  5:28                                                       ` Ammar Faizi
  2023-04-23  5:43                                                         ` Alviro Iskandar Setiawan
  0 siblings, 1 reply; 36+ messages in thread
From: Ammar Faizi @ 2023-04-23  5:28 UTC (permalink / raw)
  To: Alviro Iskandar Setiawan; +Cc: Moe, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 12:23:48PM +0700, Alviro Iskandar Setiawan wrote:
> This is just a test to send an HTML email. Want to see how bad it is when
> displayed on the lore.

Well, that looks good. It's because your email contains two parts. HTML
and plain text.

The lore can properly render the plain text part, but not the HTML. Not
all mail clients do that though. I appreciate gmail for doing it.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  3:48                                                 ` Moe
  2023-04-23  3:56                                                   ` Ammar Faizi
@ 2023-04-23  5:35                                                   ` Ammar Faizi
  1 sibling, 0 replies; 36+ messages in thread
From: Ammar Faizi @ 2023-04-23  5:35 UTC (permalink / raw)
  To: Moe; +Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List

On Sun, Apr 23, 2023 at 03:48:27AM +0000, Moe wrote:
> <unreadable HTML gunk>

Apart from this HTML issue, your Xiaomi mail client doesn't preserve the
"References" header which make the reference to the previous thread
lost. I recommend to use gmail and Thunderbird (for desktop).

I personally use "mutt mail client" (it runs on CLI). It's a nice mail
client with rich features, but it takes so much time to learn the keys,
obviously not the first choice for starting.

-- 
Ammar Faizi


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: CF ticketing system is still vulnerable
  2023-04-23  5:28                                                       ` Ammar Faizi
@ 2023-04-23  5:43                                                         ` Alviro Iskandar Setiawan
  0 siblings, 0 replies; 36+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-04-23  5:43 UTC (permalink / raw)
  To: Ammar Faizi; +Cc: Moe, GNU/Weeb Mailing List

[-- Attachment #1: Type: text/plain, Size: 534 bytes --]

On Sun, Apr 23, 2023 at 12:29 PM Ammar Faizi wrote:

> On Sun, Apr 23, 2023 at 12:23:48PM +0700, Alviro Iskandar Setiawan wrote:
> > This is just a test to send an HTML email. Want to see how bad it is when
> > displayed on the lore.
>
> Well, that looks good. It's because your email contains two parts. HTML
> and plain text.
>
> The lore can properly render the plain text part, but not the HTML. Not
> all mail clients do that though. I appreciate gmail for doing it.
>

yea, it also auto word-wraps :v

-- Viro

[-- Attachment #2: Type: text/html, Size: 880 bytes --]

^ permalink raw reply	[flat|nested] 36+ messages in thread

end of thread, other threads:[~2023-04-23  5:43 UTC | newest]

Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com>
2023-04-21  0:45 ` CF ticketing system is still vulnerable Ammar Faizi
2023-04-21 23:21   ` Ammar Faizi
2023-04-21 23:41     ` Alviro Iskandar Setiawan
2023-04-21 23:50       ` Ammar Faizi
2023-04-22  0:09         ` Alviro Iskandar Setiawan
2023-04-22  0:18           ` Ammar Faizi
2023-04-22  0:29             ` Alviro Iskandar Setiawan
2023-04-22  0:41               ` Ammar Faizi
2023-04-22  0:54                 ` Alviro Iskandar Setiawan
2023-04-22  1:01                   ` Ammar Faizi
2023-04-22  2:35                     ` Ammar Faizi
2023-04-22  6:02                       ` Alviro Iskandar Setiawan
2023-04-22  6:38                         ` Ammar Faizi
2023-04-22  6:53                           ` Alviro Iskandar Setiawan
2023-04-22  7:49                             ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi
2023-04-22  7:52                               ` Alviro Iskandar Setiawan
2023-04-22  7:59                                 ` Ammar Faizi
2023-04-22  8:00                                   ` Alviro Iskandar Setiawan
2023-04-22 22:58                         ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan
2023-04-22 23:06                           ` Ammar Faizi
2023-04-22 23:11                             ` Alviro Iskandar Setiawan
2023-04-22 23:23                               ` Alviro Iskandar Setiawan
2023-04-22 23:36                                 ` Ammar Faizi
2023-04-23  1:28                                   ` Alviro Iskandar Setiawan
2023-04-23  1:31                                     ` Alviro Iskandar Setiawan
2023-04-23  1:38                                       ` Ammar Faizi
2023-04-23  1:47                                         ` Alviro Iskandar Setiawan
2023-04-23  1:53                                           ` Ammar Faizi
2023-04-23  3:33                                             ` Alviro Iskandar Setiawan
2023-04-23  3:36                                               ` Ammar Faizi
2023-04-23  3:48                                                 ` Moe
2023-04-23  3:56                                                   ` Ammar Faizi
2023-04-23  5:23                                                     ` Alviro Iskandar Setiawan
2023-04-23  5:28                                                       ` Ammar Faizi
2023-04-23  5:43                                                         ` Alviro Iskandar Setiawan
2023-04-23  5:35                                                   ` Ammar Faizi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox