From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alviro.iskandar@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED,URI_HEX
	autolearn=ham autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682204304;
	bh=rlVDWD46Jdh2B012Lbd/f1Y4IqyFx87gWU+k21w5blo=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=r7DLniKuOyZ2e3/4gzmA1KOn2skbUIBA4C0fVYbeZINjH33Eek8/kZ/0buns069q0
	 D1hBE9Sa6IBe3yHbbcC913HpQuEPiUDNa4daPuYMoCsK21EGWNrLjeZhpCJebvCgAY
	 XSnYOisXo4/kgfWMvDbStbHcsfMxkblu+jjeeDDfHDXf1hZIFKyYuek3KmzgLJpo5L
	 fBqNL54KaxbvZIzQAABVw+VGVd4IBLO12Hj7OfvPyHr0hfAOr+Q9odcEQfz8fdvBbK
	 BRpMoA5eVqjtcipJZ67161wN3ZOy/C74x3ZZtBrgspAdVxOhgVJi4qc+dIxu2gv8dX
	 K2px+QTsXoJsg==
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175])
	by gnuweeb.org (Postfix) with ESMTPSA id 160382457BE
	for <gwml@vger.gnuweeb.org>; Sun, 23 Apr 2023 05:58:24 +0700 (WIB)
Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-2a8bca69e8bso28363371fa.3
        for <gwml@vger.gnuweeb.org>; Sat, 22 Apr 2023 15:58:23 -0700 (PDT)
X-Gm-Message-State: AAQBX9dFwbdIAaLeucPJmiGOTZlXXjdF0rTaQQU245QDH8DUhINFkYKy
	wBuNfxGFtOn0sAs3bEYukk9W0wFJYL8PZA4+OaE=
X-Google-Smtp-Source: AKy350bGfn+UpLE5GwSsRIcD6dpAssD3VNloafY5Lbh+2az+q1opgFpE/qqCXZrpNd9vh409M+Ly4LlS+md6b9H3H5E=
X-Received: by 2002:a2e:b2d1:0:b0:2a8:e6f8:301e with SMTP id
 17-20020a2eb2d1000000b002a8e6f8301emr1509425ljz.28.1682204301935; Sat, 22 Apr
 2023 15:58:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAFBCWQL2i53P7QwHRXFu8WFbFbC7G8rLi-nNqqzRdeaXTC7F-g@mail.gmail.com>
 <CAFBCWQLN3ZTDciA+K4APQcR9XjJm8v_wec8BNiEe5swa3gRv-A@mail.gmail.com>
 <CAOG64qMbOABpMtaY330Zt2pZ7-4J8CPm6WLpwEzumc_wgto7VA@mail.gmail.com>
 <CAFBCWQKz7ypVuYkDmGRfcwjkcHzZOqJtUjZNthpa-p4Chr-8sg@mail.gmail.com>
 <CAOG64qPq3whtOxA24LmmVRvzQEK4OEXRzMQAJpqO-e=xM8w4zQ@mail.gmail.com>
 <ZEMn7d52bx8knqPW@biznet-home.integral.gnuweeb.org> <CAOG64qNpZq0Q0OCKgKuNWSX=BG+y-az5_YObgUt1vPfnD1pXPg@mail.gmail.com>
 <ZEMtOzT8PnppTLkK@biznet-home.integral.gnuweeb.org> <CAOG64qMUTuD2BZZiEZsjw=ivGfkv2Tu28Nr7Ar808NptvU0idw@mail.gmail.com>
 <ZEMx695Kl6rmZUEv@biznet-home.integral.gnuweeb.org> <ZENIBgfiQSnZcGS6@biznet-home.integral.gnuweeb.org>
 <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
In-Reply-To: <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Date: Sun, 23 Apr 2023 05:58:09 +0700
X-Gmail-Original-Message-ID: <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
Message-ID: <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
Subject: Re: CF ticketing system is still vulnerable
To: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>, "GNU/Weeb Mailing List" <gwml@vger.gnuweeb.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <gwml.vger.gnuweeb.org>

On Sat, Apr 22, 2023 at 1:02=E2=80=AFPM Alviro Iskandar Setiawan wrote:
> On Sat, Apr 22, 2023 at 9:35=E2=80=AFAM Ammar Faizi wrote:
> > They just said they have fixed the vuln. Please verify that it's
> > actually fixed, then you can sleep well.
>
> Looks good to me. Now the endpoint returns {"success":false}.

Back to this again, I am not sure if the fix is proper. I get HTTP 500
when accessing it from libcurl in my C program:

> * Copying HTTP/2 data in stream buffer to connection buffer after upgrade=
: len=3D0
> * Using Stream ID: 1 (easy handle 0x7f19f0000b70)
> > GET /<URI> HTTP/2
> > Host: kiostix.com
> > user-agent: curl/7.81.0
> > accept: */*
>
> * Connection state changed (MAX_CONCURRENT_STREAMS =3D=3D 128)!
> < HTTP/2 500
> < content-type: application/json; charset=3Dutf-8
> < content-length: 17
> < date: Sat, 22 Apr 2023 22:45:27 GMT
> < access-control-allow-credentials: true
> < access-control-allow-origin: *
> < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT
> < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, A=
ccept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Versi=
on
> < etag: "zngjl94gbkh"
> < vary: Accept-Encoding
> < x-cache: Error from cloudfront
> < via: 1.1 6f91c725c3d4f2326304347075e516a4.cloudfront.net (CloudFront)
> < x-amz-cf-pop: SIN2-P1
> < x-amz-cf-id: _2tJGxIIYax9O0HQ6DexdXe1EYH_u8_Ow1d5Z6N2G9mGSRU2RRGkKw=3D=
=3D
> <
> * Connection #0 to host kiostix.com left intact
> {"success":false}

But if I access it from curl cmd:

> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > GET /<URI> HTTP/2
> > Host: kiostix.com
> > user-agent: curl/7.81.0
> > accept: */*
> >
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Connection state changed (MAX_CONCURRENT_STREAMS =3D=3D 128)!
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> < HTTP/2 200
> < content-type: application/json; charset=3Dutf-8
> < content-length: 167
> < date: Thu, 20 Apr 2023 23:12:21 GMT
> < access-control-allow-credentials: true
> < access-control-allow-origin: *
> < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT
> < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, A=
ccept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Versi=
on
> < etag: "d65958y5yu4n"
> < vary: Accept-Encoding
> < x-cache: RefreshHit from cloudfront
> < via: 1.1 8d08de7fce6cdb6f648bade508fa2926.cloudfront.net (CloudFront)
> < x-amz-cf-pop: SIN2-P1
> < x-amz-cf-id: 3CtjmR6LPdqP4wVerazXS7DVYSVaPdEYQ609h-Uczw9UgjeQ6W-BFw=3D=
=3D
> < age: 171251
> <
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Connection #0 to host kiostix.com left intact
> {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-=
4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9=
492-f471a526dc84"]}

That means it's not fixed. Also, HTTP 500 indicates internal server
error. It seems something goes very wrong with their fix attempt. So
yes, it's still vulnerable when I write this email.

-- Viro