From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alviro.iskandar@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682123362;
	bh=r7GD0Px1cuAL3RcmDXIrKCcO6H+HTNjjmWw976tbpO8=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=pPCOav1pYzwggqNk1SXDrBaJEieata6ICJKw3WAuLB27VErOoQelRCmvBvSIGqpoP
	 Pojl/YsxOs504WEYAENDeVrliPzLF4yx/UHHQkpAf0wEQJAajnYxw0ToOlu8lCEBmz
	 Oyp/Bv9nJKn10DYDlbJG0a5nIutrgTthbWKFgkPL/AO90SRnoD4Y57j3+AgnDWBDrg
	 b0t4fHr4oPA7v9rFIdSXW48tT6/3f+WAKSSTsFNLNvNvETQJ0qrTh3E0CdchknDcbk
	 oYkxgOfFWhw0o6kxxAM5OoB+JBeq0LxicKzO6CS6aPEAKpMXUtbS/27m/lS3EZ3p/b
	 fUd++g4aWpC+Q==
Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52])
	by gnuweeb.org (Postfix) with ESMTPSA id D7338245798
	for <gwml@vger.gnuweeb.org>; Sat, 22 Apr 2023 07:29:22 +0700 (WIB)
Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-4edcdfa8638so2383443e87.2
        for <gwml@vger.gnuweeb.org>; Fri, 21 Apr 2023 17:29:22 -0700 (PDT)
X-Gm-Message-State: AAQBX9c6TrE6O2OIpSVo/2nBg7i/YudM39t14tqZ29ADjlT52/XVrqxB
	PXbk6mP8BUApgyE6Ba8joRQHn+avrEMvuBeGh+0=
X-Google-Smtp-Source: AKy350ap/f0ro0xIu46O4MGm7AvBD1V1B7/EvVBkK7QK4pkgU9PQUrUlnsD6iC6+bfKC4ET4Cd7P4VsGnHcArHQ5wx4=
X-Received: by 2002:ac2:544c:0:b0:4ed:b09a:6447 with SMTP id
 d12-20020ac2544c000000b004edb09a6447mr1564807lfn.60.1682123360894; Fri, 21
 Apr 2023 17:29:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com>
 <CAFBCWQL2i53P7QwHRXFu8WFbFbC7G8rLi-nNqqzRdeaXTC7F-g@mail.gmail.com>
 <CAFBCWQLN3ZTDciA+K4APQcR9XjJm8v_wec8BNiEe5swa3gRv-A@mail.gmail.com>
 <CAOG64qMbOABpMtaY330Zt2pZ7-4J8CPm6WLpwEzumc_wgto7VA@mail.gmail.com>
 <CAFBCWQKz7ypVuYkDmGRfcwjkcHzZOqJtUjZNthpa-p4Chr-8sg@mail.gmail.com>
 <CAOG64qPq3whtOxA24LmmVRvzQEK4OEXRzMQAJpqO-e=xM8w4zQ@mail.gmail.com> <ZEMn7d52bx8knqPW@biznet-home.integral.gnuweeb.org>
In-Reply-To: <ZEMn7d52bx8knqPW@biznet-home.integral.gnuweeb.org>
From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Date: Sat, 22 Apr 2023 07:29:09 +0700
X-Gmail-Original-Message-ID: <CAOG64qNpZq0Q0OCKgKuNWSX=BG+y-az5_YObgUt1vPfnD1pXPg@mail.gmail.com>
Message-ID: <CAOG64qNpZq0Q0OCKgKuNWSX=BG+y-az5_YObgUt1vPfnD1pXPg@mail.gmail.com>
Subject: Re: CF ticketing system is still vulnerable
To: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>, "GNU/Weeb Mailing List" <gwml@vger.gnuweeb.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <gwml.vger.gnuweeb.org>

On Sat, Apr 22, 2023 at 7:18=E2=80=AFAM Ammar Faizi wrote:
> On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sat, Apr 22, 2023 at 6:51=E2=80=AFAM Ammar Faizi wrote:
> > > On Sat, Apr 22, 2023 at 6:42=E2=80=AFAM Alviro Iskandar Setiawan wrot=
e:
> > > > On Sat, Apr 22, 2023 at 6:21=E2=80=AFAM Ammar Faizi wrote:
> > > > > On Fri, Apr 21, 2023 at 7:45=E2=80=AFAM Ammar Faizi wrote:
> > > > > > On Fri, Apr 21, 2023 at 7:42=E2=80=AFAM Alviro Iskandar Setiawa=
n wrote:
> > > > > > > POC and sample attached.
> > > > > > >
> > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson=
-c -lpthread;
> > > > > > > ./gwcfd2;
> > > > > >
> > > > > > I'll address this ASAP.
> > > > >
> > > > > I sent your POC and sample to the KiosTix people yesterday. At fi=
rst,
> > > > > they didn't acknowledge the leak because they thought you leaked =
the
> > > > > old tickets.
> > > >
> > > > Didn't they read the dump.txt file I sent? It looks new to me... Or
> > > > maybe I am the one who ate their sweet honeypot this time?
> > >
> > > No, I don't think that's a honeypot. I just confirmed that my new
> > > tickets that already use UUIDv4 are in your dump too. So it's legit;
> > > they just didn't understand what you're trying to inform.
> >
> > Doubt, did you talk to a dev or a manager? I guess you were talking to
> > a manager who doesn't understand the technical stuff behind this.
>
> To both of them, actually. Initially, I was talking to the "head of
> sales & partnetship" person. Then she created a WA group where I
> directly talk to the dev.

mending turu :/

-- Viro