From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682213333; bh=ct/iwWUVVmehLflwGkgogw3COdG/LTSR5Zs9SuJvsdc=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=MYqRbwi1tBWsegv+glYA4EayGDLMki3q3Arqy3Mnvn5VhdvQ4IVl06wlC8qgVyjSl MXwdtw6aHtDLNbaIYVMWm/TZ45T8UvtF1m0/3wQ4K2qdDlJ4plWKom6PAQvpTCr/Vd dtSxi5+ARZytwyoFZ6+5BaiENG5kYAiYHF6QYz0yZP4IyHWiZV6E8ceosyowh3lbOA mtLQJRlzdDbbTqDPE/XDhlSJVseJPutfikTIvfWY3enhJ/Lc/bhzkeXXpklcLfsIBk gFGlxi+dgG02Yu04rl6D6O7asTQTePduOFZUAeFXCSJ3wgDW18oOSLVLoFG5IkxWdQ WVdJ3tn0sM8sw== Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) by gnuweeb.org (Postfix) with ESMTPSA id 0904C2457F9 for ; Sun, 23 Apr 2023 08:28:53 +0700 (WIB) Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2a8aea2a654so29369251fa.1 for ; Sat, 22 Apr 2023 18:28:52 -0700 (PDT) X-Gm-Message-State: AAQBX9duHE56rlFTbjqbPNWwM9GOWsqiXB0HC9+QZhrIGcRKkNH4BXtQ pnv243znNO6Bbkq2Y8ho1D1DIB/cki9goK7wbKc= X-Google-Smtp-Source: AKy350YujFRaZH/+Ln2hibGM709WgkK5FXmn4kMYMmRhGCUMPEfWVjVl3lpNofCcxH93MCkJFbtcdxmAGXfr/3aGCaw= X-Received: by 2002:a2e:82cd:0:b0:2a8:ac62:7fea with SMTP id n13-20020a2e82cd000000b002a8ac627feamr1574274ljh.22.1682213331084; Sat, 22 Apr 2023 18:28:51 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 08:28:39 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan wrote: > > > Summary: > > > - Access from browser: {"success":false} > > > - Access from my POC: {"success":false} > > > - Access from XHR (real login with cookies): {"success":true, "etick= ets": [...]} > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [.= ..]} > > > > Using real login with cookies can only get tickets that the user owns. > > But if I remove the cookies, it can get any ticket just like > > previously (from curl cmd). > > Confirmed. I can reproduce it. This looks like a CDN cache to me. Using cookies will provoke cache misses as the CDN can't decide anything about authentication. Thus, it ends up accessing the origin server to get the response. -- Viro