From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alviro.iskandar@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682205812;
	bh=bNWpafDMEWUqr2CohBvGW798qbTZwGjw5uKcHs+IgSE=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=tjJ7TWP240yjPzujU71wgB0CnDi5OAn55ZlzuUrG5Q8souRxKcrvBvRGZlGMDdB69
	 rxHbE7NMsMxtt86MW845keeOJ9B+wp0rSGFjKrtlfoJOwXYwd120GLKiSoDqvq4qB8
	 fZ3H9Y0ca2Z7dzyUDbfiRVph2f3/cat5hu4zzlsTDH6YrgrA5ZlNK5RhQJKJR3Qkbe
	 v96fp+XpIY5V6g0Sqo3qGR7emJ8yNhOBMKomt2ZzuqTlBQyilvrKCAxiOyzeayCbJA
	 9yeKFq5cK+B7xse1SW7cStd+6mz3wSsfKdXIp4qAaiv0W8npucPkr92JjYjlBspylA
	 XVWWxRg7DbvUg==
Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50])
	by gnuweeb.org (Postfix) with ESMTPSA id 68A332457CF
	for <gwml@vger.gnuweeb.org>; Sun, 23 Apr 2023 06:23:32 +0700 (WIB)
Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-4efd6e26585so1175186e87.1
        for <gwml@vger.gnuweeb.org>; Sat, 22 Apr 2023 16:23:32 -0700 (PDT)
X-Gm-Message-State: AAQBX9cQTLA3OTAqraG4V/zJ0oUwi+41DNMHH+rYQQNdxwl+cgNGv1Gq
	oTfvUSjMN/JT7fEVEs/9ZvlRonDpONi0NLNo+XQ=
X-Google-Smtp-Source: AKy350bSQvCKbtj26B6d5zlW/gbhq4x+bcJmRtHiO9oSZSRpo2i7ctXc+J6sl95AlCCeuVjLVaZ54JXhUW3Yn6Kvshk=
X-Received: by 2002:ac2:4563:0:b0:4e8:3d24:de6f with SMTP id
 k3-20020ac24563000000b004e83d24de6fmr2537088lfm.14.1682205810322; Sat, 22 Apr
 2023 16:23:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAFBCWQKz7ypVuYkDmGRfcwjkcHzZOqJtUjZNthpa-p4Chr-8sg@mail.gmail.com>
 <CAOG64qPq3whtOxA24LmmVRvzQEK4OEXRzMQAJpqO-e=xM8w4zQ@mail.gmail.com>
 <ZEMn7d52bx8knqPW@biznet-home.integral.gnuweeb.org> <CAOG64qNpZq0Q0OCKgKuNWSX=BG+y-az5_YObgUt1vPfnD1pXPg@mail.gmail.com>
 <ZEMtOzT8PnppTLkK@biznet-home.integral.gnuweeb.org> <CAOG64qMUTuD2BZZiEZsjw=ivGfkv2Tu28Nr7Ar808NptvU0idw@mail.gmail.com>
 <ZEMx695Kl6rmZUEv@biznet-home.integral.gnuweeb.org> <ZENIBgfiQSnZcGS6@biznet-home.integral.gnuweeb.org>
 <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
 <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
 <ZERoaUptOd5Zq0gj@biznet-home.integral.gnuweeb.org> <CAOG64qPCF=iQVTwFzk=q0SHet2h+71cxJt3=jDuV-0Pf1Td3Xw@mail.gmail.com>
In-Reply-To: <CAOG64qPCF=iQVTwFzk=q0SHet2h+71cxJt3=jDuV-0Pf1Td3Xw@mail.gmail.com>
From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Date: Sun, 23 Apr 2023 06:23:18 +0700
X-Gmail-Original-Message-ID: <CAOG64qN_prvKLJ21A14zphG8UOXCN6OQ1dOQpuH+KEtr-SHgbw@mail.gmail.com>
Message-ID: <CAOG64qN_prvKLJ21A14zphG8UOXCN6OQ1dOQpuH+KEtr-SHgbw@mail.gmail.com>
Subject: Re: CF ticketing system is still vulnerable
To: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>, "GNU/Weeb Mailing List" <gwml@vger.gnuweeb.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <gwml.vger.gnuweeb.org>

On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan wrote:
> Summary:
> - Access from browser: {"success":false}
> - Access from my POC: {"success":false}
> - Access from XHR (real login with cookies):  {"success":true, "etickets"=
: [...]}
> - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}

Using real login with cookies can only get tickets that the user owns.
But if I remove the cookies, it can get any ticket just like
previously (from curl cmd).

-- Viro