From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682214450; bh=F1zu5AyRdaP59mQQNTROUzFOZzLd35k6dZZP8Dl2T6k=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=Ry3eU7FpixUB2Xi58kDdoaPZy2yYUrbSeBBHyyHX9wdA+gBnX8fUwjq1tVf8RQuFJ nO6iDxhH8q4h5jUkMT39S0AoXR/ULzZuAgrDK5+FqzRewy9Ote3aeFbo4iPQGGhIQV SPaWxJs4jsBesfLgtiCeGsaxMrZkBRcQfEmckd2hTfGxypjxSZK20OQzT3etwz0cQ1 08pm98OPtTo4i3OcXEDPyGg7kif5ZALFPXBoYVweDZ14qGZr+2BhZgxFq+EawBxKhJ QuOU9YnsoLAymcuRAaBh6rhvuKd7VM4pazrb78pTP6mqoB8pXGpy06X3qrW7XgprSZ p81qFCvDkM9Ww== Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) by gnuweeb.org (Postfix) with ESMTPSA id 3AC4D24580C for ; Sun, 23 Apr 2023 08:47:30 +0700 (WIB) Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-2a8dd1489b0so29049811fa.3 for ; Sat, 22 Apr 2023 18:47:30 -0700 (PDT) X-Gm-Message-State: AAQBX9ebm60AYIpjU2f1O29vcrXNP773eV0eGFzJul5HUB3fA2b5oc0D 0h9sRv8GXAPQS5YMznIf1fe6j5yVFaD71hd/MoI= X-Google-Smtp-Source: AKy350auO6pxz4af/U5ZnM42VyMYO+ozJvgxi5kIkaFls5q1m2LfMlcfZTUCxEyBA5bk7pZruP3iumMhL4PvtKvPIws= X-Received: by 2002:a2e:9818:0:b0:2a8:d32e:e6bd with SMTP id a24-20020a2e9818000000b002a8d32ee6bdmr1629711ljj.21.1682214448263; Sat, 22 Apr 2023 18:47:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 08:47:16 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sun, Apr 23, 2023 at 8:38=E2=80=AFAM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 8:28=E2=80=AFAM Alviro Iskandar Setiawan wrote: > > > On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote: > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan = wrote: > > > > > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan = wrote: > > > > > > Summary: > > > > > > - Access from browser: {"success":false} > > > > > > - Access from my POC: {"success":false} > > > > > > - Access from XHR (real login with cookies): {"success":true, = "etickets": [...]} > > > > > > - Access from curl cmd (no cookies): {"success":true, "eticket= s": [...]} > > > > > > > > > > Using real login with cookies can only get tickets that the user = owns. > > > > > But if I remove the cookies, it can get any ticket just like > > > > > previously (from curl cmd). > > > > > > > > Confirmed. I can reproduce it. > > > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > > misses as the CDN can't decide anything about authentication. Thus, i= t > > > ends up accessing the origin server to get the response. > > > > With cookies: > > > < x-cache: Error from cloudfront > > > < age: 2 > > > {"success":false} > > > > Without cookies: > > > < x-cache: RefreshHit from cloudfront > > > < age: 181004 > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d= 318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f= 6f-9492-f471a526dc84"]} > > Great, good point! > > And "age: 181004" means the page you see has been 50.27 hours old. So we > can say that they've fixed the vuln, but their CDN is still caching > the vuln response. Right, the only problem here is the tickets served by the CDN cache are still accessible. They must reset all tickets again. Otherwise, their attempt to protect CF tickets is in vain. -- Viro