From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED,URI_HEX autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682204304; bh=rlVDWD46Jdh2B012Lbd/f1Y4IqyFx87gWU+k21w5blo=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=r7DLniKuOyZ2e3/4gzmA1KOn2skbUIBA4C0fVYbeZINjH33Eek8/kZ/0buns069q0 D1hBE9Sa6IBe3yHbbcC913HpQuEPiUDNa4daPuYMoCsK21EGWNrLjeZhpCJebvCgAY XSnYOisXo4/kgfWMvDbStbHcsfMxkblu+jjeeDDfHDXf1hZIFKyYuek3KmzgLJpo5L fBqNL54KaxbvZIzQAABVw+VGVd4IBLO12Hj7OfvPyHr0hfAOr+Q9odcEQfz8fdvBbK BRpMoA5eVqjtcipJZ67161wN3ZOy/C74x3ZZtBrgspAdVxOhgVJi4qc+dIxu2gv8dX K2px+QTsXoJsg== Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) by gnuweeb.org (Postfix) with ESMTPSA id 160382457BE for ; Sun, 23 Apr 2023 05:58:24 +0700 (WIB) Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-2a8bca69e8bso28363371fa.3 for ; Sat, 22 Apr 2023 15:58:23 -0700 (PDT) X-Gm-Message-State: AAQBX9dFwbdIAaLeucPJmiGOTZlXXjdF0rTaQQU245QDH8DUhINFkYKy wBuNfxGFtOn0sAs3bEYukk9W0wFJYL8PZA4+OaE= X-Google-Smtp-Source: AKy350bGfn+UpLE5GwSsRIcD6dpAssD3VNloafY5Lbh+2az+q1opgFpE/qqCXZrpNd9vh409M+Ly4LlS+md6b9H3H5E= X-Received: by 2002:a2e:b2d1:0:b0:2a8:e6f8:301e with SMTP id 17-20020a2eb2d1000000b002a8e6f8301emr1509425ljz.28.1682204301935; Sat, 22 Apr 2023 15:58:21 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 05:58:09 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sat, Apr 22, 2023 at 1:02=E2=80=AFPM Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 9:35=E2=80=AFAM Ammar Faizi wrote: > > They just said they have fixed the vuln. Please verify that it's > > actually fixed, then you can sleep well. > > Looks good to me. Now the endpoint returns {"success":false}. Back to this again, I am not sure if the fix is proper. I get HTTP 500 when accessing it from libcurl in my C program: > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade= : len=3D0 > * Using Stream ID: 1 (easy handle 0x7f19f0000b70) > > GET / HTTP/2 > > Host: kiostix.com > > user-agent: curl/7.81.0 > > accept: */* > > * Connection state changed (MAX_CONCURRENT_STREAMS =3D=3D 128)! > < HTTP/2 500 > < content-type: application/json; charset=3Dutf-8 > < content-length: 17 > < date: Sat, 22 Apr 2023 22:45:27 GMT > < access-control-allow-credentials: true > < access-control-allow-origin: * > < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT > < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, A= ccept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Versi= on > < etag: "zngjl94gbkh" > < vary: Accept-Encoding > < x-cache: Error from cloudfront > < via: 1.1 6f91c725c3d4f2326304347075e516a4.cloudfront.net (CloudFront) > < x-amz-cf-pop: SIN2-P1 > < x-amz-cf-id: _2tJGxIIYax9O0HQ6DexdXe1EYH_u8_Ow1d5Z6N2G9mGSRU2RRGkKw=3D= =3D > < > * Connection #0 to host kiostix.com left intact > {"success":false} But if I access it from curl cmd: > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > > GET / HTTP/2 > > Host: kiostix.com > > user-agent: curl/7.81.0 > > accept: */* > > > * TLSv1.2 (IN), TLS header, Supplemental data (23): > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): > * TLSv1.2 (IN), TLS header, Supplemental data (23): > * Connection state changed (MAX_CONCURRENT_STREAMS =3D=3D 128)! > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > * TLSv1.2 (IN), TLS header, Supplemental data (23): > < HTTP/2 200 > < content-type: application/json; charset=3Dutf-8 > < content-length: 167 > < date: Thu, 20 Apr 2023 23:12:21 GMT > < access-control-allow-credentials: true > < access-control-allow-origin: * > < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT > < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, A= ccept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Versi= on > < etag: "d65958y5yu4n" > < vary: Accept-Encoding > < x-cache: RefreshHit from cloudfront > < via: 1.1 8d08de7fce6cdb6f648bade508fa2926.cloudfront.net (CloudFront) > < x-amz-cf-pop: SIN2-P1 > < x-amz-cf-id: 3CtjmR6LPdqP4wVerazXS7DVYSVaPdEYQ609h-Uczw9UgjeQ6W-BFw=3D= =3D > < age: 171251 > < > * TLSv1.2 (IN), TLS header, Supplemental data (23): > * Connection #0 to host kiostix.com left intact > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-= 4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9= 492-f471a526dc84"]} That means it's not fixed. Also, HTTP 500 indicates internal server error. It seems something goes very wrong with their fix attempt. So yes, it's still vulnerable when I write this email. -- Viro