Re: CF ticketing system is still vulnerable

[Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>]

On Sat, Apr 22, 2023 at 1:02 PM Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote:
> > They just said they have fixed the vuln. Please verify that it's
> > actually fixed, then you can sleep well.
>
> Looks good to me. Now the endpoint returns {"success":false}.

Back to this again, I am not sure if the fix is proper. I get HTTP 500
when accessing it from libcurl in my C program:

> * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
> * Using Stream ID: 1 (easy handle 0x7f19f0000b70)
> > GET /<URI> HTTP/2
> > Host: kiostix.com
> > user-agent: curl/7.81.0
> > accept: */*
>
> * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
> < HTTP/2 500
> < content-type: application/json; charset=utf-8
> < content-length: 17
> < date: Sat, 22 Apr 2023 22:45:27 GMT
> < access-control-allow-credentials: true
> < access-control-allow-origin: *
> < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT
> < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version
> < etag: "zngjl94gbkh"
> < vary: Accept-Encoding
> < x-cache: Error from cloudfront
> < via: 1.1 6f91c725c3d4f2326304347075e516a4.cloudfront.net (CloudFront)
> < x-amz-cf-pop: SIN2-P1
> < x-amz-cf-id: _2tJGxIIYax9O0HQ6DexdXe1EYH_u8_Ow1d5Z6N2G9mGSRU2RRGkKw==
> <
> * Connection #0 to host kiostix.com left intact
> {"success":false}

But if I access it from curl cmd:

> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > GET /<URI> HTTP/2
> > Host: kiostix.com
> > user-agent: curl/7.81.0
> > accept: */*
> >
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> < HTTP/2 200
> < content-type: application/json; charset=utf-8
> < content-length: 167
> < date: Thu, 20 Apr 2023 23:12:21 GMT
> < access-control-allow-credentials: true
> < access-control-allow-origin: *
> < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT
> < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version
> < etag: "d65958y5yu4n"
> < vary: Accept-Encoding
> < x-cache: RefreshHit from cloudfront
> < via: 1.1 8d08de7fce6cdb6f648bade508fa2926.cloudfront.net (CloudFront)
> < x-amz-cf-pop: SIN2-P1
> < x-amz-cf-id: 3CtjmR6LPdqP4wVerazXS7DVYSVaPdEYQ609h-Uczw9UgjeQ6W-BFw==
> < age: 171251
> <
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Connection #0 to host kiostix.com left intact
> {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}

That means it's not fixed. Also, HTTP 500 indicates internal server
error. It seems something goes very wrong with their fix attempt. So
yes, it's still vulnerable when I write this email.

-- Viro