From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alviro.iskandar@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham
	autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682213333;
	bh=ct/iwWUVVmehLflwGkgogw3COdG/LTSR5Zs9SuJvsdc=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=MYqRbwi1tBWsegv+glYA4EayGDLMki3q3Arqy3Mnvn5VhdvQ4IVl06wlC8qgVyjSl
	 MXwdtw6aHtDLNbaIYVMWm/TZ45T8UvtF1m0/3wQ4K2qdDlJ4plWKom6PAQvpTCr/Vd
	 dtSxi5+ARZytwyoFZ6+5BaiENG5kYAiYHF6QYz0yZP4IyHWiZV6E8ceosyowh3lbOA
	 mtLQJRlzdDbbTqDPE/XDhlSJVseJPutfikTIvfWY3enhJ/Lc/bhzkeXXpklcLfsIBk
	 gFGlxi+dgG02Yu04rl6D6O7asTQTePduOFZUAeFXCSJ3wgDW18oOSLVLoFG5IkxWdQ
	 WVdJ3tn0sM8sw==
Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180])
	by gnuweeb.org (Postfix) with ESMTPSA id 0904C2457F9
	for <gwml@vger.gnuweeb.org>; Sun, 23 Apr 2023 08:28:53 +0700 (WIB)
Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2a8aea2a654so29369251fa.1
        for <gwml@vger.gnuweeb.org>; Sat, 22 Apr 2023 18:28:52 -0700 (PDT)
X-Gm-Message-State: AAQBX9duHE56rlFTbjqbPNWwM9GOWsqiXB0HC9+QZhrIGcRKkNH4BXtQ
	pnv243znNO6Bbkq2Y8ho1D1DIB/cki9goK7wbKc=
X-Google-Smtp-Source: AKy350YujFRaZH/+Ln2hibGM709WgkK5FXmn4kMYMmRhGCUMPEfWVjVl3lpNofCcxH93MCkJFbtcdxmAGXfr/3aGCaw=
X-Received: by 2002:a2e:82cd:0:b0:2a8:ac62:7fea with SMTP id
 n13-20020a2e82cd000000b002a8ac627feamr1574274ljh.22.1682213331084; Sat, 22
 Apr 2023 18:28:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAOG64qNpZq0Q0OCKgKuNWSX=BG+y-az5_YObgUt1vPfnD1pXPg@mail.gmail.com>
 <ZEMtOzT8PnppTLkK@biznet-home.integral.gnuweeb.org> <CAOG64qMUTuD2BZZiEZsjw=ivGfkv2Tu28Nr7Ar808NptvU0idw@mail.gmail.com>
 <ZEMx695Kl6rmZUEv@biznet-home.integral.gnuweeb.org> <ZENIBgfiQSnZcGS6@biznet-home.integral.gnuweeb.org>
 <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
 <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
 <ZERoaUptOd5Zq0gj@biznet-home.integral.gnuweeb.org> <CAOG64qPCF=iQVTwFzk=q0SHet2h+71cxJt3=jDuV-0Pf1Td3Xw@mail.gmail.com>
 <CAOG64qN_prvKLJ21A14zphG8UOXCN6OQ1dOQpuH+KEtr-SHgbw@mail.gmail.com> <ZERvkyIY5kz6vH7m@biznet-home.integral.gnuweeb.org>
In-Reply-To: <ZERvkyIY5kz6vH7m@biznet-home.integral.gnuweeb.org>
From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Date: Sun, 23 Apr 2023 08:28:39 +0700
X-Gmail-Original-Message-ID: <CAOG64qPSwNb944tUzUm+TjCXZYJPUnBA0m4Q71-6mO6Bx3T4QQ@mail.gmail.com>
Message-ID: <CAOG64qPSwNb944tUzUm+TjCXZYJPUnBA0m4Q71-6mO6Bx3T4QQ@mail.gmail.com>
Subject: Re: CF ticketing system is still vulnerable
To: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>, "GNU/Weeb Mailing List" <gwml@vger.gnuweeb.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <gwml.vger.gnuweeb.org>

On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote:
> On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan wrote:
> > > Summary:
> > > - Access from browser: {"success":false}
> > > - Access from my POC: {"success":false}
> > > - Access from XHR (real login with cookies):  {"success":true, "etick=
ets": [...]}
> > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [.=
..]}
> >
> > Using real login with cookies can only get tickets that the user owns.
> > But if I remove the cookies, it can get any ticket just like
> > previously (from curl cmd).
>
> Confirmed. I can reproduce it.

This looks like a CDN cache to me. Using cookies will provoke cache
misses as the CDN can't decide anything about authentication. Thus, it
ends up accessing the origin server to get the response.

-- Viro