From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alviro.iskandar@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham
	autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682220803;
	bh=PbSKuJ/uznMz/WHbxg9kBBUSQd1J/BHwnbs0fhiV4zk=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=atVvSu7ybODtxS3RLm7VtmGFNYAeYG+URMLBVAnRA6uEqUScZSOKui9C52TVT1Qtp
	 Sh75fW6MierR61c+UesL/EO0HDviu3MY50w6byajkUYk0PkCLllR2X6XrU0OucomKf
	 h2v9oIh9h1JsBPJNS/BhDlIhNqixs2oVMrl/vAhDZozl1vx21cRyELoZsX4zHFegyh
	 3o1ikVGHY5VVtXTYrH36MMW4G7X78uYcpNr9LsclJw5vznjRUSegjV/hlxNuTOgKkb
	 PNDFJWktWC8qBatXrGCfUKWxn0dHVxnAlO/6A3efolWj4l9r0jvQaArsdrVcczMEdT
	 RAbxDSGf1OPLA==
Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174])
	by gnuweeb.org (Postfix) with ESMTPSA id D48EF24582E
	for <gwml@vger.gnuweeb.org>; Sun, 23 Apr 2023 10:33:23 +0700 (WIB)
Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2a8ba693f69so30085781fa.0
        for <gwml@vger.gnuweeb.org>; Sat, 22 Apr 2023 20:33:23 -0700 (PDT)
X-Gm-Message-State: AAQBX9fgKUKMHbmrETXNUTJOCdn6cR6n2zsjwVoQBK4fjt+JIOgvpHws
	OGni8tLkOrxkkQ9LBwx38GSHuTXEAJQ4+kqMEkE=
X-Google-Smtp-Source: AKy350bHpDamTDeUxEzM8WSbom2mBWUn08p566YuckrImeeS7D5NdXqrOCfAcNZEZB0u5HDU6qMK8+zno6oRHXprY/g=
X-Received: by 2002:a2e:95c4:0:b0:298:b333:4267 with SMTP id
 y4-20020a2e95c4000000b00298b3334267mr1709763ljh.18.1682220801767; Sat, 22 Apr
 2023 20:33:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
 <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
 <ZERoaUptOd5Zq0gj@biznet-home.integral.gnuweeb.org> <CAOG64qPCF=iQVTwFzk=q0SHet2h+71cxJt3=jDuV-0Pf1Td3Xw@mail.gmail.com>
 <CAOG64qN_prvKLJ21A14zphG8UOXCN6OQ1dOQpuH+KEtr-SHgbw@mail.gmail.com>
 <ZERvkyIY5kz6vH7m@biznet-home.integral.gnuweeb.org> <CAOG64qPSwNb944tUzUm+TjCXZYJPUnBA0m4Q71-6mO6Bx3T4QQ@mail.gmail.com>
 <CAOG64qOCKhBCRtH6bhoZLJG5sz7ifdt4AzPZtZnbEnG+4hqKAQ@mail.gmail.com>
 <ZESMHZDr0K/nqYlT@biznet-home.integral.gnuweeb.org> <CAOG64qP1-u4-n8bQ9Rxr0YJtwRjm1M-00Pht0Kq6m-Q3MFTEsA@mail.gmail.com>
 <ZESPrMlxeYmbv4yT@biznet-home.integral.gnuweeb.org>
In-Reply-To: <ZESPrMlxeYmbv4yT@biznet-home.integral.gnuweeb.org>
From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Date: Sun, 23 Apr 2023 10:33:10 +0700
X-Gmail-Original-Message-ID: <CAOG64qMO1k1dhaG9Od4nhCg-ipXTQsVVagOdpzSCJ6kbMXJ61Q@mail.gmail.com>
Message-ID: <CAOG64qMO1k1dhaG9Od4nhCg-ipXTQsVVagOdpzSCJ6kbMXJ61Q@mail.gmail.com>
Subject: Re: CF ticketing system is still vulnerable
To: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>, "GNU/Weeb Mailing List" <gwml@vger.gnuweeb.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <gwml.vger.gnuweeb.org>

On Sun, Apr 23, 2023 at 8:53=E2=80=AFAM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 8:38=E2=80=AFAM Ammar Faizi wrote:
> > > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wr=
ote:
> > > > On Sun, Apr 23, 2023 at 8:28=E2=80=AFAM Alviro Iskandar Setiawan wr=
ote:
> > > > > On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote:
> > > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setia=
wan wrote:
> > > > > > > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setia=
wan wrote:
> > > > > > > > Summary:
> > > > > > > > - Access from browser: {"success":false}
> > > > > > > > - Access from my POC: {"success":false}
> > > > > > > > - Access from XHR (real login with cookies):  {"success":tr=
ue, "etickets": [...]}
> > > > > > > > - Access from curl cmd (no cookies):  {"success":true, "eti=
ckets": [...]}
> > > > > > >
> > > > > > > Using real login with cookies can only get tickets that the u=
ser owns.
> > > > > > > But if I remove the cookies, it can get any ticket just like
> > > > > > > previously (from curl cmd).
> > > > > >
> > > > > > Confirmed. I can reproduce it.
> > > > >
> > > > > This looks like a CDN cache to me. Using cookies will provoke cac=
he
> > > > > misses as the CDN can't decide anything about authentication. Thu=
s, it
> > > > > ends up accessing the origin server to get the response.
> > > >
> > > > With cookies:
> > > > > < x-cache: Error from cloudfront
> > > > > < age: 2
> > > > > {"success":false}
> > > >
> > > > Without cookies:
> > > > > < x-cache: RefreshHit from cloudfront
> > > > > < age: 181004
> > > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbae=
a6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e48=
6-4f6f-9492-f471a526dc84"]}
> > >
> > > Great, good point!
> > >
> > > And "age: 181004" means the page you see has been 50.27 hours old. So=
 we
> > > can say that they've fixed the vuln, but their CDN is still caching
> > > the vuln response.
> >
> > Right, the only problem here is the tickets served by the CDN cache
> > are still accessible. They must reset all tickets again. Otherwise,
> > their attempt to protect CF tickets is in vain.
>
> I have posted several questions regarding this to the KiosTix people.
> Will send you an update later.

Also, ask them, when do they delete the old tickets that use unix
time? Because they are all still accessible even with cache miss
responses.

-- Viro