Re: CF ticketing system is still vulnerable

[Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>]

On Sat, Apr 22, 2023 at 7:18 AM Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote:
> > > On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote:
> > > > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote:
> > > > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote:
> > > > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > POC and sample attached.
> > > > > > >
> > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread;
> > > > > > > ./gwcfd2;
> > > > > >
> > > > > > I'll address this ASAP.
> > > > >
> > > > > I sent your POC and sample to the KiosTix people yesterday. At first,
> > > > > they didn't acknowledge the leak because they thought you leaked the
> > > > > old tickets.
> > > >
> > > > Didn't they read the dump.txt file I sent? It looks new to me... Or
> > > > maybe I am the one who ate their sweet honeypot this time?
> > >
> > > No, I don't think that's a honeypot. I just confirmed that my new
> > > tickets that already use UUIDv4 are in your dump too. So it's legit;
> > > they just didn't understand what you're trying to inform.
> >
> > Doubt, did you talk to a dev or a manager? I guess you were talking to
> > a manager who doesn't understand the technical stuff behind this.
>
> To both of them, actually. Initially, I was talking to the "head of
> sales & partnetship" person. Then she created a WA group where I
> directly talk to the dev.

mending turu :/

-- Viro