Re: CF ticketing system is still vulnerable

[Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>]

On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > > Summary:
> > > > > > - Access from browser: {"success":false}
> > > > > > - Access from my POC: {"success":false}
> > > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > > >
> > > > > Using real login with cookies can only get tickets that the user owns.
> > > > > But if I remove the cookies, it can get any ticket just like
> > > > > previously (from curl cmd).
> > > >
> > > > Confirmed. I can reproduce it.
> > >
> > > This looks like a CDN cache to me. Using cookies will provoke cache
> > > misses as the CDN can't decide anything about authentication. Thus, it
> > > ends up accessing the origin server to get the response.
> >
> > With cookies:
> > > < x-cache: Error from cloudfront
> > > < age: 2
> > > {"success":false}
> >
> > Without cookies:
> > > < x-cache: RefreshHit from cloudfront
> > > < age: 181004
> > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}
>
> Great, good point!
>
> And "age: 181004" means the page you see has been 50.27 hours old. So we
> can say that they've fixed the vuln, but their CDN is still caching
> the vuln response.

Right, the only problem here is the tickets served by the CDN cache
are still accessible. They must reset all tickets again. Otherwise,
their attempt to protect CF tickets is in vain.

-- Viro