From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682205812; bh=bNWpafDMEWUqr2CohBvGW798qbTZwGjw5uKcHs+IgSE=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=tjJ7TWP240yjPzujU71wgB0CnDi5OAn55ZlzuUrG5Q8souRxKcrvBvRGZlGMDdB69 rxHbE7NMsMxtt86MW845keeOJ9B+wp0rSGFjKrtlfoJOwXYwd120GLKiSoDqvq4qB8 fZ3H9Y0ca2Z7dzyUDbfiRVph2f3/cat5hu4zzlsTDH6YrgrA5ZlNK5RhQJKJR3Qkbe v96fp+XpIY5V6g0Sqo3qGR7emJ8yNhOBMKomt2ZzuqTlBQyilvrKCAxiOyzeayCbJA 9yeKFq5cK+B7xse1SW7cStd+6mz3wSsfKdXIp4qAaiv0W8npucPkr92JjYjlBspylA XVWWxRg7DbvUg== Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by gnuweeb.org (Postfix) with ESMTPSA id 68A332457CF for ; Sun, 23 Apr 2023 06:23:32 +0700 (WIB) Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-4efd6e26585so1175186e87.1 for ; Sat, 22 Apr 2023 16:23:32 -0700 (PDT) X-Gm-Message-State: AAQBX9cQTLA3OTAqraG4V/zJ0oUwi+41DNMHH+rYQQNdxwl+cgNGv1Gq oTfvUSjMN/JT7fEVEs/9ZvlRonDpONi0NLNo+XQ= X-Google-Smtp-Source: AKy350bSQvCKbtj26B6d5zlW/gbhq4x+bcJmRtHiO9oSZSRpo2i7ctXc+J6sl95AlCCeuVjLVaZ54JXhUW3Yn6Kvshk= X-Received: by 2002:ac2:4563:0:b0:4e8:3d24:de6f with SMTP id k3-20020ac24563000000b004e83d24de6fmr2537088lfm.14.1682205810322; Sat, 22 Apr 2023 16:23:30 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 06:23:18 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan wrote: > Summary: > - Access from browser: {"success":false} > - Access from my POC: {"success":false} > - Access from XHR (real login with cookies): {"success":true, "etickets"= : [...]} > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} Using real login with cookies can only get tickets that the user owns. But if I remove the cookies, it can get any ticket just like previously (from curl cmd). -- Viro