On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote: > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > > POC and sample attached. > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > > ./gwcfd2; > > > > I'll address this ASAP. > > I sent your POC and sample to the KiosTix people yesterday. At first, > they didn't acknowledge the leak because they thought you leaked the > old tickets. Didn't they read the dump.txt file I sent? It looks new to me... Or maybe I am the one who ate their sweet honeypot this time? > Looking at their response, they will need a few days to mull things > over before they fix the vuln. Plus, they will probably have > difficulty grasping what your crazy multithreaded POC is actually > doing. So let's give them more time; they're web developers, not > super-savants. Imagine what will happen if someone else outside GNU/Weeb finds the vuln and posts it publicly. Hope they don't blame us in case that happens. -- Viro