From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server-vie001.gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Authentication-Results: server-vie001.gnuweeb.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=J4tx0+pI; dkim-atps=neutral Received: by server-vie001.gnuweeb.org (Postfix, from userid 1000) id 77DC52071D26; Mon, 21 Oct 2024 21:57:26 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.128.182; helo=mail-yw1-f182.google.com; envelope-from=louvianlyndal@gmail.com; receiver= Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by server-vie001.gnuweeb.org (Postfix) with ESMTPS id F31EE2071D23 for ; Mon, 21 Oct 2024 21:57:25 +0000 (UTC) Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-6e314136467so43700547b3.0 for ; Mon, 21 Oct 2024 14:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729547844; x=1730152644; darn=vger.gnuweeb.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MxNUFJ8+ulAGeR+LsMS5U05Ru3LNNYhJnWHFMOwzfFM=; b=J4tx0+pIoPdI7LS6cOU2gLE9XrrpDhc4OcQqXoNDtyjpJScgAof5N8eDfAeyPWKP1+ INy9qa5GA4+3qMiEXowL6JyGxbxpwms6WLMtbebtalXWIPJ4AfzG3rX1NsDTWJLRCDvm WsxALsasd6DLCoj3nWRXH8hxj8wWZBo5BOFftbTt8dDnjSOShx4EYW/6hXcO92mI1n1F Z4gGjNfGENZjAbjb3J43b32ss0TjcJMPuzjWHUTOe+ZyATuTp5FBo34JWagI/jI1aMWO 3eC6nFgsExImDt+S2LiIzUGTGqTr3f3/SetN7vo7NNObzTNSuTJ/O4loqdBT4KxOK4s+ jsrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729547844; x=1730152644; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MxNUFJ8+ulAGeR+LsMS5U05Ru3LNNYhJnWHFMOwzfFM=; b=MMZIqoiBSwX8zDDRIVj0gBF35oDlBoWhxzqC8EusWH8zhUjNXmVBPttB59z5m7N+PY +yLZjh6yYSoPPpW3+9gfO1dst5xfiv71dKyY9Bejp9XYmNeuYBCu7B7+e+bRteIGNZtO QH+ggCgAQMjPbo+J2J+CJNRwnch5f6zlRXZrc/bc68mdE9elWlI5JUbEloRSAEPh+6dh tF2taqeZ5k/OU1u4F0+N6iKOGFza9oFkSEWtpKT10Y56aWLIKyJdnn+QVNde5AYQBUWR AiFj3bR8BWetl1ZZtFpLqA78+74Uew6sUHUmhmXupYfiXscCS/eOVAEIEsBq+WxkHNEW 1EOA== X-Gm-Message-State: AOJu0Yzgov9rOXk6tMIwnU+taB3aAw+6A7ch4oWINttPuGRlDawb5nkD ybz1Z7DzKGjbYZdNEHA9/KyT4iPw4AsZYavU6GLjyh2rIHTJ/Ns16m32HqkMPK7a0YHa0AS1qxA zAtUYcj3XiBx+IDAbMupz1RcvZTgWGOw+ X-Google-Smtp-Source: AGHT+IEkBhz9L7SVwiKwIlVoDL3h1OM5+sGa1e++1NzR3aOrfdHmKBMLvvy9QW+Yj1iL/mbMeiddE3z5jrj+fY88kBA= X-Received: by 2002:a05:690c:670a:b0:6e3:ceb:9e49 with SMTP id 00721157ae682-6e7d48f6e5dmr11260387b3.16.1729547844387; Mon, 21 Oct 2024 14:57:24 -0700 (PDT) MIME-Version: 1.0 From: Louvian Lyndal Date: Tue, 22 Oct 2024 04:57:13 +0700 Message-ID: Subject: gwcfd v3 To: Ammar Faizi , Alviro Iskandar Setiawan , Michael William Jonathan Cc: "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: Last night, I reported a glaring vulnerability in the CF ticketing system to ticket2u customer service. In return, they gifted me this brilliant response: "Hi. The link to view/download the ticket is only sent to the registered email during ticket purchase. Not all buyers create ticket2u accounts to make a purchase. If a guest account is used, it won=E2=80=99t be bound to a user account. Thank you." I even included a sample URL that anyone could access without login, but apparently, that's just how they like it-wide open and welcoming to all. Honestly, it seems the CF folks are doomed to repeat history. This is the third time they've been dumped, and still, lessons go unlearned. The third time's the charm, right?