From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682220803; bh=PbSKuJ/uznMz/WHbxg9kBBUSQd1J/BHwnbs0fhiV4zk=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=atVvSu7ybODtxS3RLm7VtmGFNYAeYG+URMLBVAnRA6uEqUScZSOKui9C52TVT1Qtp Sh75fW6MierR61c+UesL/EO0HDviu3MY50w6byajkUYk0PkCLllR2X6XrU0OucomKf h2v9oIh9h1JsBPJNS/BhDlIhNqixs2oVMrl/vAhDZozl1vx21cRyELoZsX4zHFegyh 3o1ikVGHY5VVtXTYrH36MMW4G7X78uYcpNr9LsclJw5vznjRUSegjV/hlxNuTOgKkb PNDFJWktWC8qBatXrGCfUKWxn0dHVxnAlO/6A3efolWj4l9r0jvQaArsdrVcczMEdT RAbxDSGf1OPLA== Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) by gnuweeb.org (Postfix) with ESMTPSA id D48EF24582E for ; Sun, 23 Apr 2023 10:33:23 +0700 (WIB) Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2a8ba693f69so30085781fa.0 for ; Sat, 22 Apr 2023 20:33:23 -0700 (PDT) X-Gm-Message-State: AAQBX9fgKUKMHbmrETXNUTJOCdn6cR6n2zsjwVoQBK4fjt+JIOgvpHws OGni8tLkOrxkkQ9LBwx38GSHuTXEAJQ4+kqMEkE= X-Google-Smtp-Source: AKy350bHpDamTDeUxEzM8WSbom2mBWUn08p566YuckrImeeS7D5NdXqrOCfAcNZEZB0u5HDU6qMK8+zno6oRHXprY/g= X-Received: by 2002:a2e:95c4:0:b0:298:b333:4267 with SMTP id y4-20020a2e95c4000000b00298b3334267mr1709763ljh.18.1682220801767; Sat, 22 Apr 2023 20:33:21 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 10:33:10 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sun, Apr 23, 2023 at 8:53=E2=80=AFAM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 8:38=E2=80=AFAM Ammar Faizi wrote: > > > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wr= ote: > > > > On Sun, Apr 23, 2023 at 8:28=E2=80=AFAM Alviro Iskandar Setiawan wr= ote: > > > > > On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote: > > > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setia= wan wrote: > > > > > > > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setia= wan wrote: > > > > > > > > Summary: > > > > > > > > - Access from browser: {"success":false} > > > > > > > > - Access from my POC: {"success":false} > > > > > > > > - Access from XHR (real login with cookies): {"success":tr= ue, "etickets": [...]} > > > > > > > > - Access from curl cmd (no cookies): {"success":true, "eti= ckets": [...]} > > > > > > > > > > > > > > Using real login with cookies can only get tickets that the u= ser owns. > > > > > > > But if I remove the cookies, it can get any ticket just like > > > > > > > previously (from curl cmd). > > > > > > > > > > > > Confirmed. I can reproduce it. > > > > > > > > > > This looks like a CDN cache to me. Using cookies will provoke cac= he > > > > > misses as the CDN can't decide anything about authentication. Thu= s, it > > > > > ends up accessing the origin server to get the response. > > > > > > > > With cookies: > > > > > < x-cache: Error from cloudfront > > > > > < age: 2 > > > > > {"success":false} > > > > > > > > Without cookies: > > > > > < x-cache: RefreshHit from cloudfront > > > > > < age: 181004 > > > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbae= a6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e48= 6-4f6f-9492-f471a526dc84"]} > > > > > > Great, good point! > > > > > > And "age: 181004" means the page you see has been 50.27 hours old. So= we > > > can say that they've fixed the vuln, but their CDN is still caching > > > the vuln response. > > > > Right, the only problem here is the tickets served by the CDN cache > > are still accessible. They must reset all tickets again. Otherwise, > > their attempt to protect CF tickets is in vain. > > I have posted several questions regarding this to the KiosTix people. > Will send you an update later. Also, ask them, when do they delete the old tickets that use unix time? Because they are all still accessible even with cache miss responses. -- Viro