From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682205129; bh=AXLX75g62OHRv8AAp7ml4xG2xHklXA4oYdsCwtbv4/8=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=ekX6jkpq9pljPriPwIO3PPvg4islJvt3ZaVrDfuX1coApoAvU4F52OrIaczdhaWLW xD3lFtufdjd/iW4F7WzNa25aWga6hGeDBqX6deOYONbqPHj2HQac3E61EAf/a65C0O vnUV5/RtDV6Zs8Nb395RRMkk+9BAW1KSzWPMiyAoHLVCmsDpN8gvy0CBiGGZY9NOUK V2yEKglIgdBFo6kP9BZbLg+68midZ+0H0xYHdnvi9NBHy2yKdp5MSXoc/+IRQ/BGWD dy4OzIM9VploRHgABWQ833MV7epzZs2YeeZ6+qGA4lAycfrHhChDzeEftNQ9Rppodf RGU+sV5S57ykA== Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) by gnuweeb.org (Postfix) with ESMTPSA id 306C72457BE for ; Sun, 23 Apr 2023 06:12:09 +0700 (WIB) Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-4edb26f762dso3134849e87.3 for ; Sat, 22 Apr 2023 16:12:09 -0700 (PDT) X-Gm-Message-State: AAQBX9fRyx+c3unjCumlLrcvqQtETqbSGMJLHP08auId6dg6sMS60s3W l8a6aUWZBY1FDYvwYx3DMTLIPmpgzm+RG+/r4Ew= X-Google-Smtp-Source: AKy350baS3woVer9wx2xFSnIaZm/PzgPCCaRjZjCb9ixYBF8UEEcoJ83feWwT0wd3tXVnfBMqZM56sxa+hZI5hnD22Y= X-Received: by 2002:a19:a40a:0:b0:4eb:5305:a70f with SMTP id q10-20020a19a40a000000b004eb5305a70fmr2018419lfc.50.1682205127194; Sat, 22 Apr 2023 16:12:07 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 06:11:56 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sun, Apr 23, 2023 at 6:06=E2=80=AFAM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 05:58:09AM +0700, Alviro Iskandar Setiawan wrote: > > Back to this again, I am not sure if the fix is proper. I get HTTP 500 > > when accessing it from libcurl in my C program: > > > [...] > > > {"success":false} > > > > But if I access it from curl cmd: > [...] > > > {"success":true,"etickets":[]} > > > > That means it's not fixed. Also, HTTP 500 indicates internal server > > error. It seems something goes very wrong with their fix attempt. So > > yes, it's still vulnerable when I write this email. > > In other words, they only block your POC, but the endpoint is still > accessible if you use another program? Yes. But I'm not sure what the difference is. I'm fully confident that the header requests I sent via my POC and via curl cmd are the same. Summary: - Access from browser: {"success":false} - Access from my POC: {"success":false} - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} I guess it's something about CDN. But I don't have enough info to make a conclusion about the technical details. -- Viro