From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682123362; bh=r7GD0Px1cuAL3RcmDXIrKCcO6H+HTNjjmWw976tbpO8=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=pPCOav1pYzwggqNk1SXDrBaJEieata6ICJKw3WAuLB27VErOoQelRCmvBvSIGqpoP Pojl/YsxOs504WEYAENDeVrliPzLF4yx/UHHQkpAf0wEQJAajnYxw0ToOlu8lCEBmz Oyp/Bv9nJKn10DYDlbJG0a5nIutrgTthbWKFgkPL/AO90SRnoD4Y57j3+AgnDWBDrg b0t4fHr4oPA7v9rFIdSXW48tT6/3f+WAKSSTsFNLNvNvETQJ0qrTh3E0CdchknDcbk oYkxgOfFWhw0o6kxxAM5OoB+JBeq0LxicKzO6CS6aPEAKpMXUtbS/27m/lS3EZ3p/b fUd++g4aWpC+Q== Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by gnuweeb.org (Postfix) with ESMTPSA id D7338245798 for ; Sat, 22 Apr 2023 07:29:22 +0700 (WIB) Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-4edcdfa8638so2383443e87.2 for ; Fri, 21 Apr 2023 17:29:22 -0700 (PDT) X-Gm-Message-State: AAQBX9c6TrE6O2OIpSVo/2nBg7i/YudM39t14tqZ29ADjlT52/XVrqxB PXbk6mP8BUApgyE6Ba8joRQHn+avrEMvuBeGh+0= X-Google-Smtp-Source: AKy350ap/f0ro0xIu46O4MGm7AvBD1V1B7/EvVBkK7QK4pkgU9PQUrUlnsD6iC6+bfKC4ET4Cd7P4VsGnHcArHQ5wx4= X-Received: by 2002:ac2:544c:0:b0:4ed:b09a:6447 with SMTP id d12-20020ac2544c000000b004edb09a6447mr1564807lfn.60.1682123360894; Fri, 21 Apr 2023 17:29:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sat, 22 Apr 2023 07:29:09 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sat, Apr 22, 2023 at 7:18=E2=80=AFAM Ammar Faizi wrote: > On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote: > > On Sat, Apr 22, 2023 at 6:51=E2=80=AFAM Ammar Faizi wrote: > > > On Sat, Apr 22, 2023 at 6:42=E2=80=AFAM Alviro Iskandar Setiawan wrot= e: > > > > On Sat, Apr 22, 2023 at 6:21=E2=80=AFAM Ammar Faizi wrote: > > > > > On Fri, Apr 21, 2023 at 7:45=E2=80=AFAM Ammar Faizi wrote: > > > > > > On Fri, Apr 21, 2023 at 7:42=E2=80=AFAM Alviro Iskandar Setiawa= n wrote: > > > > > > > POC and sample attached. > > > > > > > > > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson= -c -lpthread; > > > > > > > ./gwcfd2; > > > > > > > > > > > > I'll address this ASAP. > > > > > > > > > > I sent your POC and sample to the KiosTix people yesterday. At fi= rst, > > > > > they didn't acknowledge the leak because they thought you leaked = the > > > > > old tickets. > > > > > > > > Didn't they read the dump.txt file I sent? It looks new to me... Or > > > > maybe I am the one who ate their sweet honeypot this time? > > > > > > No, I don't think that's a honeypot. I just confirmed that my new > > > tickets that already use UUIDv4 are in your dump too. So it's legit; > > > they just didn't understand what you're trying to inform. > > > > Doubt, did you talk to a dev or a manager? I guess you were talking to > > a manager who doesn't understand the technical stuff behind this. > > To both of them, actually. Initially, I was talking to the "head of > sales & partnetship" person. Then she created a WA group where I > directly talk to the dev. mending turu :/ -- Viro