From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682037960; bh=dL390MaOMmxc5R0hb50bWivTUac60f0TaUmgePNKA1E=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=QipNzLKXBCGrLwk1V2HcL2oHwPcs0cCH/SFcqvHF4Jt+V9ejxE8D66k4TPRgdEI7q xvIwlX9VzbPZ5eUBB3KCrR8xZXrG5P81frF7ehUm/vwaCxRwLLWUG5hw8At27VUJqR iHb1rAid1ziJdXzsYMU4EvXPXK/nFl7dyzgkoCrjV7/zTosxnzLgIWjL7/djFbMYQu gJNYIa6JVD9/upwTZuKZQSQHQb5sgLSSaWSEOUc7Hc8+MUlGskCFKaILK8Tuc63982 4fWJ38mwqY4/7EulShULMkqWKIu7COQvKPnWNXJrrSmQs3Myhy3hWBGAI5jYDouOGU 7XxwjwGujXk6w== Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com [209.85.219.173]) by gnuweeb.org (Postfix) with ESMTPSA id 410C6245742 for ; Fri, 21 Apr 2023 07:46:00 +0700 (WIB) Received: by mail-yb1-f173.google.com with SMTP id 3f1490d57ef6-b94d8d530c3so302087276.0 for ; Thu, 20 Apr 2023 17:46:00 -0700 (PDT) X-Gm-Message-State: AAQBX9dnwCBFgQZT+9v03+HZVE8mC9VWjShld+RdVItmPx7uu05QDk1K I0b6FWF8MgwT0/3TDM0lZ10J/YUF42n9ldCpwb4= X-Google-Smtp-Source: AKy350Z3uonwyfAvOin0hbYWpGPcJg4+nPuZD3wpTi55YGq37+2Nunr43l7JzAQYo8wapPDiLx0szYGZNM+pvgv9Cks= X-Received: by 2002:a25:b19c:0:b0:b8f:71f:7084 with SMTP id h28-20020a25b19c000000b00b8f071f7084mr3048374ybj.3.1682037958943; Thu, 20 Apr 2023 17:45:58 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ammar Faizi Date: Fri, 21 Apr 2023 07:45:43 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Alviro Iskandar Setiawan Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Fri, Apr 21, 2023 at 7:42=E2=80=AFAM Alviro Iskandar Setiawan wrote: > Hi Ammar, > > After the recent fix from KiosTix, I can still dump 10889 tickets this > morning. I found that about 90% of tickets already use UUIDv4 in this > dump. KiosTix MUST also reset all tickets again despite the fact that > they already use UUIDv4 because everything is still publicly > available. > > Please report this immediately to KiosTix! > > POC and sample attached. > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread= ; > ./gwcfd2; I'll address this ASAP. --=20 Ammar Faizi