* Re: CF ticketing system is still vulnerable [not found] <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com> @ 2023-04-21 0:45 ` Ammar Faizi 2023-04-21 23:21 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-21 0:45 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > Hi Ammar, > > After the recent fix from KiosTix, I can still dump 10889 tickets this > morning. I found that about 90% of tickets already use UUIDv4 in this > dump. KiosTix MUST also reset all tickets again despite the fact that > they already use UUIDv4 because everything is still publicly > available. > > Please report this immediately to KiosTix! > > POC and sample attached. > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > ./gwcfd2; I'll address this ASAP. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-21 0:45 ` CF ticketing system is still vulnerable Ammar Faizi @ 2023-04-21 23:21 ` Ammar Faizi 2023-04-21 23:41 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-21 23:21 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > POC and sample attached. > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > ./gwcfd2; > > I'll address this ASAP. I sent your POC and sample to the KiosTix people yesterday. At first, they didn't acknowledge the leak because they thought you leaked the old tickets. Looking at their response, they will need a few days to mull things over before they fix the vuln. Plus, they will probably have difficulty grasping what your crazy multithreaded POC is actually doing. So let's give them more time; they're web developers, not super-savants. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-21 23:21 ` Ammar Faizi @ 2023-04-21 23:41 ` Alviro Iskandar Setiawan 2023-04-21 23:50 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-21 23:41 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List [-- Attachment #1: Type: text/plain, Size: 1099 bytes --] On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote: > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > > POC and sample attached. > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > > ./gwcfd2; > > > > I'll address this ASAP. > > I sent your POC and sample to the KiosTix people yesterday. At first, > they didn't acknowledge the leak because they thought you leaked the > old tickets. Didn't they read the dump.txt file I sent? It looks new to me... Or maybe I am the one who ate their sweet honeypot this time? > Looking at their response, they will need a few days to mull things > over before they fix the vuln. Plus, they will probably have > difficulty grasping what your crazy multithreaded POC is actually > doing. So let's give them more time; they're web developers, not > super-savants. Imagine what will happen if someone else outside GNU/Weeb finds the vuln and posts it publicly. Hope they don't blame us in case that happens. -- Viro [-- Attachment #2: endpoints.txt.gpg.asc --] [-- Type: text/plain, Size: 11944 bytes --] -----BEGIN PGP MESSAGE----- hQEMA/Pg8IKP+bBOAQf/fsdIdg+fkkOh4HVfKEbEVJlP/xI7EnbOh6S3QYQuiabH 5AUawpW/WfMlun84A/GiEN8HLFOq+naHpQiHGDe3eLZoAcSiR4DYBSoEXn8iTnSb zc4CUCXflKSsbYRmx2qu20uhcsLasNviDwpr+1bmp0rW2tt1tx7qkfugJvu/e/Oh MA6FVF40dc/6hZ8Q1oLkannZ+P4wem0n9I20gRGwTH4pAU4Oc84RwbdMPFPhfXYh /ugYUJ/9A/FuVlkfh7oi38sIN46y9zmI3QqsEpBhnvu2ar0IY5sWZRHw1aJU82CM Ko/Jybv88IWgNzx1nZ2oW1OMPmWBwooCl1XXnupuJ9LtATFLN3xla+vsvgvWoc8h /bYWLN63wd7H3zD/sOqqk3z6vytk3XNJYtL0UiMol6m9alXARoZnPSBOdG5aLH5V OefIBqz7aRBkLJ8PhxITuLsIeks+h8/g5RonaaXKsECUs3tKOYAMGFBRTY595Pk0 BVeQ2VKxall8USd4r3nAKs5wYxnu1VB2eqTVPpzSLPMOy8lSC+v6nhaHhK62bUxA 1C4cCxu68HeDhE86hIXtl0vBFMFmfO7aVYAoS4LKUi8ICXNPoj8Z7/r9bXiJl5l3 omhhFzYXbFRDm0Ri84PnNTcP/3wQcYJFNg3gHTS9FLlbEGYCwGBrdmy0vCZcl37s +76WJ8HwQxw5Eo/bkxcYWG2EXZqPvvLEjlB5II0qidrR29bmrimcg68UidQMXXhU 7yUdotfFuJXW0tkY7yu0zeXO2PGE8JJRpcUllI2Rjlq3YDLsozBiB3tIyo4dz47j 405X+URH3vtZTTdvSDQNbt/8OlQ9z0ZiL9fC2hUlCck0b2YnWlmYH7ra96KuSK3w fmu1AHA3Y1OLDjoFZMebcs85kqFCc3HqevnF4/zF2jhmNqq+kJjsfl7+Gj/1HHPn n0nEPHtaCOk//mNS0lA257/8D+NbWeIWCz5ZVc+sIspsEJbv43G0tfmOw2x2MCRL kV1jvAe193SKFh/vRm3wuToo6qr5VaUCHwJ7vztmICPXOLAb5gS/ObATVTRY7+45 5nxRBtGODmaYjzHRGz7OJgW/77tKp9GvoBZF3d/+8G7EZACaqJTgm0AbTClXHF5W PV14TeLuH8g7VSk5voL9WmHTmPgElSyLPLS7kNTwR4/JRiix2540WMU7QWkQE0Tm GXlm51YgNmKRWABSdvB9KfrRisUh7asOG9OXCywuqBqodnRNKDdv1qZsNYLni8vS aM5ZkOjwsbNXTc81ng6C4mCLBrxegDZUKs5peWQZl9kw09nDB15H4atxGh9ndQuP 4aVEra/uBlO2ULMelp0a6QZgmYFgO1iBo36Tf6XfCNsaubquFw+7/2L1lB8pXD7R 5mmRttNghPczBqO/5kTo8zwEYE6/ICAhC95u9NUAbNq0clcS9UW7RzIZu01JRgWq 6P9ADbG6s1ok4otdBEDbUHExpici4bkM91BFwrKDRQzMgVGUb6+5ujmzhjwk8TSN TYBEYDo2ltBEOTT+OoaHEaOH3GyE9RSN/TxwilSk33qeMxYjb6MkxU0w+d8g0y3y hVPs4hPQdYv/+si5eEk/bMHlYKPWZUW8dlDD87PuSUzHBYGf7mdikzly3Blz19EN 7mje0oa6JniQlTZteWO2aqMOiX/TfE9kZCCkMHeNVPuQ1yxhuSX2L2RJ5fpqU3rB 0vG0R/n0OK0F8KE9R/pKUlfPmlLUwaL43eOILJCbD5il5hHBnO4aXNgpVYipTQYw cSTLyRwmlQWu0C2Ghm+HmwQyMuyTmetat1zFdBeQchtN08rlzcUH7m2d1TFeFeVB HVfJnTcQnoIl69CFeIHSM0DZbSVDQTfUBlX868+knVpUwLrB0lkq14OHHMmLJelG d8DoT5YvMDwAWY7+PDbRhPh4ngeQQAFxpDYrRJ9qqh+s+s5erV/HGu8izfDLQqak MQBAqxDX23YQ1k5Xu1akCnKZtYLEhUTtHzmAEGP+I+Kw+DJzItiC0WZ6GgjaK/GJ diFM6ysEry8BRXRemsUPuh56nVK5L+W6ykLOuVpMlipfLEShJkkAqHWVqDV7kDxF cDSem4u7FIYJ2aVntS2GQCuYKAM+x1Dol1Uk9iYRJvhigIrPb4EqFxuHXlgWahp7 FohHsgvH4bWNs4zfzb8WSv98xbOo2J/jVv4J89AtBStn2aUWZ6HzO+EyYm1ENM06 o38HKMuPaFw5NsU2MSVKh23Q6/GCAxdgqBIIYuUrpXU94dhPPJHykSUFubFeHHP9 eNEYvwsTZMUmQRc6DrmXKdlm3We89uovqWTpA4rzXOdMlFqnJO1NTfyLyurnY1yh 5ADMCfYcuT3zrHq02eX6D0AArRe/jT8gncPobskbYptP5C6RQ1gDVV6GtzpxTAwJ ezi9qgIHVyvravMcmUBB/i6KBlnJ2VIK+zFtYhuH2/6xYS2Rwi/x/a283NAhvkk/ 376wGpmsMjOCKnx12Oy1616PLpCahWV5IJ6XOcs1rgnGmtTr8UVOMoxCfZ2b6LDn lEeqWbfBJAfT17TZogvRzKziGmSJZzKSZiqJ4PjwMV5vYfn9gn9j39dllgvVSjHf MG9CS5DQnWGEhvBL6UqoboQ7Ku22g716nVgiui+2WeC/hrax1vGupGfX4FDCjW5s SM2TaPgvLVy0NoVE9p2NlW3REXkf8qpSGkxzR0+qyCMKFOx6yx/nkn42sRHM9s3D VmHa+eRQDEYYxwSY+1pmfCEN37j/52TudYVfEO7LTaTYtZyl5X/NT1WUpq+a/c/R GrcRBw4xYWw5Jpn07OcCjUDqj/b7p0rdpwkRSsKXYKYgsy0Uuxc+onpWRJlfC9bq lhv6OR1QbV0Li1D/SXefK1IDTt8hPh0g/CsBruDbbX2Jg2hpOUn0qpfGKFLB5W34 6bo9hk13yXqHtne+hTnqbPJAVN2qR7NrpqHsFCSaBhkrw3p2voUjRLu6At5EICNa 5NnSUrFdmvJAUOXPqoOG4hLaY0+5I6SC9OsgQG+mjUTafN0PiWmsatNzBn+3eKgD jMR4fNhqNlgvKtvuTw4te7JU7IWtMLd08dMLZ97JJ0Y9DxVjakU6SDZlhZU7AHHh mgs22fQx+4Iod3EcHQRrlXiU+ts5kQc8VwLVFJqfOpEpZ9C+wvNKnC61GnJjD/S8 IOT2l9UYiCfrvzmA+UKkEVuaoXKW9QZyfP1Z6T+FlyxCSXvQ4VJ6MQF4//3avFg1 4MhV9+K2Q5TyeEM2PjY7p3KcXfXJuRE91jXorHmbgQnzXYveYDdEgScXKUcnU94e RZ0ZOxSEgG1lc9L/Vx+615z5W/lDZHemTaqrg17pGEpb/yJV5DtBOjp6kJhV/qbf 4PiApxnqQMomGEv4BgDIsy9za4YE4XE7W7luBUhrzlwYKnsjrJagfIfUHQo6axp9 6OxLFHQraVaPyFiVEzTgV52D/vhMIZQ3UduHmghnbqtWOCY4yAhk9Rw/4D9ZB6oN uJof5KN7luhU5kkeo1zGMn2eM8vZSRgAGWLTqCbCqdNVagH1WPCbDMs6emTLLPsI P8joRhbocpGuQ1c2C3C7SwK2gkhcYwXZ7ORv8jn1YgDvLq7nPKyABb+DN8HvHo3Z +5+IF9k2/jNAdOTUDptg9XgAEreZhAJQojYg9A0bCkIL3i/GtCij26fV+/ZdXvJ+ 0/+3budREJUG4HtEP8iEbHZI3bK+vKwVzdLQT4kXeVcskD0erY3N5MwGo6lPJeTL TJ4ddw9Aau6jGl0st8kTHJM+gnNHlYUE7v3DI3g5F7j4KxUV/0z1AipHEQ41CnVN BFYqwh2v0mIRcOdPQd6N4Y3tPaDea4rvJ1gGilotEZ+pKkC5MAEQJANJME5/QMgR J4wfbYWsBk1DLIb/4SB+KawNlUuK0exsFvYfo1LL9PUryBQEyUt7CYEHfqjQQeNK nXxRDoebq95yNWfTtFXc54Xfjp1E3K/ceCh+iXEAZbnNqwWc90mQsROBudcVYFq6 6dQxzAD2lAw7nMZmq8umf52E2bVdoJD4jWvJxTokLIH8tcmG1gZpIpYaCoe/BfEI gi6JJpoyQ0234aEWfNd07IN1Awdlq4kgQr69PjEs4dIlW7j6RxhhwAg0nT8W5mjI RsZHMcsQjP8ir2zIHKVxa6kHAOd3QYVCqxYKQR5qmq+s8Jo+P3Q/ni0o3r+qJUo+ 51k5vk+M7ixoSrj+MGcfc95ZskOD1isIwTPBg1iml6MVO+zzV7jnKOqGOvgJRJOH 0r+KoHMWZ6rIuqUiLraSmNeYfj9814ne2jLPjRzXHeuvYDcD6UVBAQeyNZ0GX6y9 Z6eiEkPaxRKLUx79W9CaMrcMb0a6APgv/Ihh9yJV8YD5/w//8xnhwbpSn5MmSeTL hBRTjL5gmWl0ZlKRvjemxhULJs7qbq+wCuR5ig9VdDiwVpvP+vWNbbjbP8pe9zXU I1Hc/HpTjhP+IJ9F9IfHhRcQJiBrnGKLJKBYof45i74XEwHGBoL9FLl2Qw6Vf5I1 TPtmvYwityoq+Bl+t7TnHKkh8zKd8Y0cRupX3H3v07hDtvC/wf9+ZY54alhNbwsQ Iiq8ZPnZkdi5QbQlVhyuMTtOcGacjiQDp6mEvPW+Iy8PgfJ/+2jxSaqx2I0rPsD6 8ziv1ncuFqVXmwZO3OQaVoglTWssQ6XQBicg/oUVEm7bhK2K5BSaaaTRIXXWYH/q EyxObiNBk4oz8itoJaL0E/GBhfbXmZ6z0Zi14oF3HcvaPqZ2ue6Q4cz+vOpyyylb k7oHSmdVO/BZ5a8e8ajyKQhG5yPESqqe4Npf6SKzdKbh7m8ba8fO9NpT8TNCIYmQ vhjuGDt8kg6BHD3UwM18E+YZvod9ECmvF9nj8gqIn3ywBxRKO/MzsJdAivVGexu7 v+B8XsJPardRuLUUHDNgzkRaTzYWidkIgcCeTWnCOloJ0ITuVGZ+ChDxsl8wzZET qZhdsVlhzrXYw75Q1Ohv/mIKjpmmxYcIO03vSPRDYldsWhwdptGY4rUorvox+XeU M6NiqKDwvT5n6U0NXSC/uSVygiJQ5m3C7WtPGHp2b4WgfvDaKgXZVBtnm3fe69yt AbuMGK7cR55Me75mTKABXR2fwAtudCyrbuRVt9JoE7EPL4kq1Y2FomvmEVxjB4xT bxnv8e8INCY5qm2CZcFG0YrDyqAAgj4Lr9kaM/poBd7updRN2moJTdJ673UwEz6n OYwqQF4hhsfNmhqehjcJx2UvomnIIzF5T9kUYXTV2UePWtcWN0EBWRjpzcqGbA5Y 8oiVax0BtW5iZd3GW9XH0aIg2HbsaccRkRoXKm7B8cF1An7c8PK4RDqBmBOGCdtd fOR6mkwi6EFfTp467nvb1tsMaZ345zKgdq+GrTGO1KjVlSnzkZnHbw/9HCHiSwJV 17tdWpjlR37nA2qW8NnadoQZISYEr+cQAyv/tzWMh59Ubd91Mv2nLKp4Qcy/S4PD 340FitFVhDccIkdaxs21PKUfwWP4WONlWVTA9ErGtYUThfy+nWI+1PBsvgW18uoO 0f9JNNbz5VnO4n312vWQPH29H6inEavW8qEYspzhuYesylC57W/4xdFc8jXGCO27 F1rAxEiTWtkcOtBQMf8nxv1tH+lES4GcFp/wnImNtVDAh2KIFw1Y2p/xf72Xl7x2 EQqBRJGsiWJGLRuQbhgRUa2exrc1n30+/PQ4m0J46Q1/WxFJKXOXu1klqnwY9fYg cnSM5ebPLRYAZM/qkTMSerZqyd9dJp90AFnUWb5vG/fbEIDCkwkAoTB3b1sHo5hG FcnkWYLVnpw5Ln8U2ZpO3p2UKMU0xMw667DxlzwADdB4Bj17Uph1gnp5MrAnFPxK zMtC/pAOXrg3X4NvtRcqjKx+JVgShm9CRtUeT5/ly0+JhOVU81hryA2ll0M+fZHj S7k4EiJpy8w0Lnkpx5vjfpsbOUYqo9CSMRP838tib4JNUaJuC90smUnCzWGVma+f pe83R5kRBkuKN0sEss+q0w7hFATWmHufDb70kHov19jnzSb+VswpWgCYawfFA6pv rbzu+TM69bPXNPrXIJOA3/H7lOlApW+mqYTpUMZM+ishT0aD1BT47wfqgTE5UyVF aNQU6RnYmNif0X6pafAC5/PzohcDGLj2mfRmW5IhxydYUir7e8pGoajftf6Ug78j Amj0MCsnjppT8wlHrbQIAwN9IW9Wef69A1taSnJB2g5xQ1IPdjC70sD28ITimvf9 AuXHkzE9elTFyB6VE3J1WxHbiPnLXceLGRuuYqVsloJ4qklozU4tJYOftRBUPy/4 oNwLiOlmM5/I196GmNEZTpnhQe9A1CMsTGqq22j/uT/o1U0auVHCRwdztCPrjJnl VMVXQq4Ft5bPiio2PgX3MYiZoDUKKY9x2GBesCLX7LKFhcVcc689i8lZUjN90FkU Yo2A5NQm/G2eyPKFZsfLSVPmAjX7k//YB+klrRjIbsVHNcnfSXnMYWoEZEXdcy1o k33XidsHMsqo3rQ3ssqhMyK3On4yAHwkpwg8Izny6xzxgk1IBbk9yfPp5mX+xKNW ka5vwS1NZi81dG3Z/OowlrAZJgxLZ9ShqWeEYGQVloKqUcEgTOmQQv/v4Ju2oFTG nou0jodhALIjSUnx4AnI7/a2uu5NY9ZbuNGPFdXiqmANW4KaVAhHXk14frQ44xU8 qFrAXVMzfzOKsZiFPXG5aYj8+0LGecjguoXOKQZbWfn4dDsrK0YwlP15crh02rGp +dEodxwcoLrlCdPB2pum6DaM4YrDNLzFhSFK7mzOG6FJDaisb+uonO/vD6hrUAW8 uoAc7lo7di4ZFH1Uy3bvTyT0wNJ0JYuoK2+lHuSKYWoMAZ84o9EFQ3qRtIxKO1gm 25Uf6bA6mJ2j2XbajPhh0zSwMb13LQeKgGV8SWlDgJjB/sc8UCn5GA96odYkD51k 5zRgpeIg4jsDv6GOfLhG1KQ+HgCwqNf+dA5rMiMXIJY1cV5KZ4uVt6AvBV+84LKw B+zNhjTFRHlhdtB2lh+1S5vE7EqxZ6ObwLAeLEjeUdXioeJ4Djaj7L4nsAD4mHHW gJgiAZNltsrK33IeaWIZ1OLSH4QqmmJ4ijKSy/ZOSo1yCTS+ozLxD5enCXku1Qmp 5sxg4Q2ApQTEFAkF8H4/4ILfz8HTx8ayQW16qnzGL07tDIL6CWXTkWY4lsVbBJZ0 1y0Xf4rqSWlZrER2/4dT7UJS035hiHlE9Gh4gnrvwot39a7vjYvwA50N+h1FfOYe 5Sc2ONyyZ5opLF8wsuxOEhISRmxxhjz1jkiDqN8yU8Gk9GIZ4pT1RzqSDfIsyBso O9HRkowqCDxgX8L9uUi7ymglRCVdJL0F/x0yJ/BXcK3YbxdMSRTYc+CZfLGXhNi9 rn1YCHEYPG4e0TZGO65JIJWxnENxWr48pZ9jGoEQSOoyGsbT1SnYq0WqC4B8iQgh ZMHIGHZO39IRD3LVggYH67K4KCT8TMZExwkNSUwzPDJT4XASWDl9/yEKfd+LX5CL Dnzml60xp7T+TmJGUDhjLaXzUzqpfhLpv4xcp/EO3PVcn87befsC2UQs8/X3/bsd 6+/Bij5iRhFheXsJVByXmmfLL9MCtx2A84EuUJrOq7Z7W3vuT+S/la0zd36e0J+v QLzxAXAohHE8NiHTWO7lQRjQZqJdcDqQi8a9AQkzvAZGJXpJUVGYZKoQSnQUH2Fl iwJqGHBWjyj5g4vxY3tyXVywWEk/l3Fa78xqqTpqppzUg0/y/T0FWKjyOHeVhwQb DT8ewG2Vl7/eLc2jHjTiYJU0ieX6gn8g33tOqDiqZkCh2oGh6uYITG7wFyK3l6dO T0EgQlZ1MSXzd0A+d5leTI7A7HOzf+GlNJ82AvK51CqPtlsqgjAI+cqd8YuJkhwB xSP4mI2p8e9KxiuujfnUNTjYAAaVtkEnZkrJ8zaKylUsx6po+dY3fSkG/3UaYwVN jTxoO06CHmH5fSDVfCg4vg7jhSA0lpqYV4bpP12qTbJ3Z+3jJFAEzXPKRcwGT/OZ qPao1DTl+ykcNs1EEugUcIDETXGj0ZqbZpW7cUDGkEnUV5KshUE0G4TmZaDijqEc vnUGy1jwv8GVME/lHirvYmsXhQ8JVqJtq0tMilhkR9un3aiUZdZikrr86BE4eTrW R5fEQ1ScwoiiFl/wifP4yOpcbLiyMZmqzH3A5kqstzr3w8wwnEV1BMHu70NVOduL l2Lmja39Ap9MV4ynDtAbKmOZE340A/MS92DDolRzQ+OlVPFwjsdHyJ+dZqfSAaea ePfZDLwwW+0b+vdZfLV+hiKVgDF+cYZIYWsGh+jpQDQRgB1Q278ttiw7riZcS268 GvG0QgHwwJjaeDl6M5exT/wM8qlDwqWrYI37b8DVIWqA7M2f53wOxb+prxF6Zrvr HKcOA2rnBRZjiOoDWhSBvS43ZEdIHqZw5HboHSpdxjH4GKDYF7iHApRJgKfoK81g uS+Nr9eyvGIsbqdXIL2oHbzX1+xlMwuoWURl1e5KmkkfFMty6pp3pcMKtougwN1J s4ROQI0m8ldIx9GlBb8OodFCc6qckGfgPs8L4+gz0247mmNbYHdx1QZcP9JTBjpn 3XUiKCotdY7zo8xYu7Ha33rb4u7acEnpqnBfU3NkVd5BpHjLc9mNdxULE2jActCu tJw0T27C9ZB0HN9dow1pJt91mHbAZXCC1g6Pzn7jtQtDPJ0ff49U5ONuBdRWUxoW MRMqyNb3G1DoLJq48eGOvaUdQZcfxpZZeyYZPoSXpSgnLzjWHw0DM1FLpdXCjnZP AdbTNzVBeoxKXEyJcsL3fxw6vZo4BzxDw2f/3zD2xArVVCgh6uldvUIBPit5Ecgj VGFj3tiqsz46Ur0Tok6KQGrPnlCjlUK4Xri6GsRkiZLYl0K3L40GLH9vH+CNuEou L14uf4fYEjORBLEYbRCDv3b2vy6qY0TQM6fn2SsK+JAyxmX0a7mbu0kNOB8ETKSo hN/g1OkQvFnOwMSzBMLNw+B6qG2fCOdKXiWSCgzH3hH91izJnstSSHyub4Hq+D+2 dnG73H02zaepRhOyINAIWnLIruJL5CnbSOhIdRa/w2Z71Zhg6R0eAJsF+ettKnp0 lP/HOvHmhZqVFVByRqzgulyZmJp62/4l5Bq9M8o+8XvKqXJ7Hcu+vlHKmSm1S/AI qNJEpFEV/oURyv62GFnoLROacNCeXwZaHVocL15/LCN2Cz0N71K85+xMxpno33KL jiMPEUPlNLVcy9UyZDfO2Tokkv5t3baCiMmzsU+gKxV8GctouYzj49bMlbCEcQL/ qTQ55UVpFTKi2YxPZ1FI2B/9+YWArFxJuDQ/mJq/AFzKfS2XB+cl5ieWOV1iTqdR 4ZLcURAtJjLqK2RhUsmpPGsij3dhgZkpiK3PXERX8cLDlNn5lVVMZY8Mn5+lx7hB VIAGu+Ga2TLdJobQdq+OC5x5gecTWvXSj1Xn6OGdYTJuRhxk8mDM3MXQn80Ld5G7 6jpgjC5AZZSwKV2fPVB5/4/6jw9kTWscoljGEl5Jr+VIZCkaYgD6sqVr9D19wGXn QD1snGVhETj27Nwd3m828YP2ipeKbHV+17AyHCZaqngNEM8a68PHKBT/vLwjYWAl c1f/EXjVmntqSquYlqCnnGBMdGuBcqYbN4BOrfy3ZJ+m6AqIvUmRfFADfDz/h1bI LWTuz9S17aYOQSzAhmB+2Ma+8o0SnwgmTGLt/TGxpLg2LpGTll5nCICVRCBpENdt apEFb3IRoXKkbiG5eloes60r/bC49Lag2yEH2sOs2owBEDPB37n0FjEMdY1eLjWF cjqWotXv6zXqJu5NJhNEMlQXO3EO+XFKNAi3BsQnpWXREyDr65inE00lMcMLzfSy Y7HZ5+YjkBvypTeUZkaa1A2X+0M/MOjg/lcM00xBu9XOFEFiB6zFqmnNV17gaMyK jLK+KhQYMfLtg9OJZwFIF/RdApeZXs1liEzhY+5GvvK3TuiyYdFp4S6OUlTaPkk4 VCA5NpsUFgSN3JcXIvT+VyW2VHCJbEInrZjmPcZwTWSM5dvYJ0VX0meMoHqmlDTJ 8yNnPpSZee9k1ZEGxovfOKZ5WRElVJgTC7TTiErjAu0hoMZ6yDFiwmahQMDFX6+o 5rWUopoWLrChYHUcD90+veT9NODCgmPMRrxw9U/oQq/jSJqbuvx64fmI/dOHyHY5 gcTBfETUM91DCUH14iYruQVbawi89hZuO/LU1hMHKvFKmGxB7NqWNMFM2iB10C7L YmfJr0Nuy7Gaq+IhkNa/7preSgoY5K15oO0SbnnilUXxZIbzn6gKmxsEaf6HRdAb FeiyFO3kcKEctBZqe5pSi08xPxYzQDP7th1gIC0ytAGpixrdXrrM5OswjuDBGDsB wWjPcj44XVN6TV9J4B0F0Ko8dCsNbBdirVzD0q0vhxu4fSqFB+oOycY0fdLrrrR9 1mgJHKbWZgqTZE0FYeAEuBFiSn6J7MNehKX5ZnfwHP56NeWZMFELyFGrVuH5nBoO mGGKWAoIrVGCSCyHAWWfdpyXjMDyZlMLNGNOI6WfI5y8lljM34M3c/OE0ObRYQmc Vgtkv29Ie+GkhUaYVfcHBMaVhlS1XeJHIJLUZWEMfpNRZ7kr5EkqdWllSuyjDnO/ 0rbzo7I+ueYsSyi5SZWFJ7koOG0oKXGbNYKs9F4yxmYUwHmwgg9lhi29H4h5VLuB ohfSzgtEXxMksViyMc5Ypwv8wWuQp+pgQGFCG1dx+gVcmvrYOtm1vRtX44w/kX3q E0O7Ti0VxgZvSMyY5WgD5H9ezQSzhbTV8deoroCG28PR1WMqNvPiDfKz9EiYDg+A ElKpXdJnSUdBDQPCqlmetlDiiyO7XEmGgJiqRDBUiluDgoG4aD/GDQ1cQqJxWH7D kWC6sf4CcN5oc/JQrAuaW/kRSH13JsdN6UXaZCtr/9oc6rV7szb5ViqmYoFKF38/ F0h0khQpfJ+vIqQpXEWholP4eaaitUDqi8eDjK6m0q0U0sMEEEhloSly5z89FowC jkcucN8zBsV6D5qNGy9wNoFd1fferwnJd3NlsZWoMxoAoR3TfTUxyorAoqEnn7vA OfEGA7k842bCzxK+OiVlnPUIYmQHhRxkNItrnnVJ80x2KzUoYi8fRjstbw871Ty6 qEj721Z5e4IALQWWxFJVJBR4AE6SvpWezBz3+KGQio2kiwYUbOVD3M6tYvcI5i5V rpzpNzNeD8t13AEfO3RhkCTAcvrXUk6Ya+mD1WxJlx4Q7dBtlZ45lTtX/HiyLn7f 7AT3TxpuTjheWOGnNIXfUpgUPYzH0Yv/wRTN6TmSJZIMsz8jE09ISux2Zu1oFaZ5 epS9GNlqpVTpCPyPBDhFxhGLxUd/5OVgiwOjTa2GECLoc+35NK8Yglku6Ps19Zr+ 4J+XOW5O68ihEv9id72S1dLCAPFd9Goc2rHISgsUbmjf56wNK0L2dTDqFFBrWGKi C6C66z/lbh3Ww1fBnFdcZKlmszUBF9pXmshrTHXiEBgqw0jyjzOQIbLMuTwuxvaP DoL3HWHYIEF35pU2Xpl15v28obbF9oYqBeJfteLBt7zIeli2DIVkHkZ+CpjD0mpP Wt7TdUUDw7BR9t+5zdC2bq0EnQGL5a4NnPKD3hTwM6YHNQCeEA== =EEos -----END PGP MESSAGE----- ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-21 23:41 ` Alviro Iskandar Setiawan @ 2023-04-21 23:50 ` Ammar Faizi 2023-04-22 0:09 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-21 23:50 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote: > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > > > POC and sample attached. > > > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > > > ./gwcfd2; > > > > > > I'll address this ASAP. > > > > I sent your POC and sample to the KiosTix people yesterday. At first, > > they didn't acknowledge the leak because they thought you leaked the > > old tickets. > > Didn't they read the dump.txt file I sent? It looks new to me... Or > maybe I am the one who ate their sweet honeypot this time? No, I don't think that's a honeypot. I just confirmed that my new tickets that already use UUIDv4 are in your dump too. So it's legit; they just didn't understand what you're trying to inform. > > Looking at their response, they will need a few days to mull things > > over before they fix the vuln. Plus, they will probably have > > difficulty grasping what your crazy multithreaded POC is actually > > doing. So let's give them more time; they're web developers, not > > super-savants. > > Imagine what will happen if someone else outside GNU/Weeb finds the > vuln and posts it publicly. Hope they don't blame us in case that > happens. That's a real problem for us too. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-21 23:50 ` Ammar Faizi @ 2023-04-22 0:09 ` Alviro Iskandar Setiawan 2023-04-22 0:18 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 0:09 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote: > On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote: > > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote: > > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > > > > POC and sample attached. > > > > > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > > > > ./gwcfd2; > > > > > > > > I'll address this ASAP. > > > > > > I sent your POC and sample to the KiosTix people yesterday. At first, > > > they didn't acknowledge the leak because they thought you leaked the > > > old tickets. > > > > Didn't they read the dump.txt file I sent? It looks new to me... Or > > maybe I am the one who ate their sweet honeypot this time? > > No, I don't think that's a honeypot. I just confirmed that my new > tickets that already use UUIDv4 are in your dump too. So it's legit; > they just didn't understand what you're trying to inform. Doubt, did you talk to a dev or a manager? I guess you were talking to a manager who doesn't understand the technical stuff behind this. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 0:09 ` Alviro Iskandar Setiawan @ 2023-04-22 0:18 ` Ammar Faizi 2023-04-22 0:29 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 0:18 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote: > > On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote: > > > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote: > > > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > > > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > > > > > POC and sample attached. > > > > > > > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > > > > > ./gwcfd2; > > > > > > > > > > I'll address this ASAP. > > > > > > > > I sent your POC and sample to the KiosTix people yesterday. At first, > > > > they didn't acknowledge the leak because they thought you leaked the > > > > old tickets. > > > > > > Didn't they read the dump.txt file I sent? It looks new to me... Or > > > maybe I am the one who ate their sweet honeypot this time? > > > > No, I don't think that's a honeypot. I just confirmed that my new > > tickets that already use UUIDv4 are in your dump too. So it's legit; > > they just didn't understand what you're trying to inform. > > Doubt, did you talk to a dev or a manager? I guess you were talking to > a manager who doesn't understand the technical stuff behind this. To both of them, actually. Initially, I was talking to the "head of sales & partnetship" person. Then she created a WA group where I directly talk to the dev. [12:50 PM, 4/21/2023] Priska Narinda: Halo mas amar @Ammar Faizi , ini ada perwakilan dari IT kiostix ada mas ali @Ali Reza Y ya [12:50 PM, 4/21/2023] Priska Narinda: Boleh kita komunikasi disini yaa [12:50 PM, 4/21/2023] Priska Narinda: Biar gak berenti dan lama di saya nih ... [12:52 PM, 4/21/2023] Priska Narinda: Mas @Ali Reza Y ini penemuan dari tim mas amar ya.. terkait bug kiostix… mungkin bisa di tanggapi prosesnya ya [12:52 PM, 4/21/2023] Ammar Faizi: Salam kenal mas @Ali Reza Y. Saya Ammar Faizi dari GNU/Weeb. Ada tanggapan terkait pesan di atas? [12:53 PM, 4/21/2023] Priska Narinda: Yes tunggu jawaban dr ali ya [1:00 PM, 4/21/2023] Ali Reza Y: Halo mas..boleh saya bawa diskusi dulu ke tim kita ya mas [1:02 PM, 4/21/2023] Ammar Faizi: Oke. [1:06 PM, 4/21/2023] Ali Reza Y: mungkin ada hal lainnya lagi mas biar kita juga bisa bahas internal sekalian [1:07 PM, 4/21/2023] Ammar Faizi: Belum ada. Nanti akan terus saya update ke sini kalau ada penemuan lain. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 0:18 ` Ammar Faizi @ 2023-04-22 0:29 ` Alviro Iskandar Setiawan 2023-04-22 0:41 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 0:29 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 7:18 AM Ammar Faizi wrote: > On Sat, Apr 22, 2023 at 07:09:51AM +0700, Alviro Iskandar Setiawan wrote: > > On Sat, Apr 22, 2023 at 6:51 AM Ammar Faizi wrote: > > > On Sat, Apr 22, 2023 at 6:42 AM Alviro Iskandar Setiawan wrote: > > > > On Sat, Apr 22, 2023 at 6:21 AM Ammar Faizi wrote: > > > > > On Fri, Apr 21, 2023 at 7:45 AM Ammar Faizi wrote: > > > > > > On Fri, Apr 21, 2023 at 7:42 AM Alviro Iskandar Setiawan wrote: > > > > > > > POC and sample attached. > > > > > > > > > > > > > > gcc -Wall -Wextra -O2 -ggdb3 gwcfd2.c -o gwcfd2 -lcurl -ljson-c -lpthread; > > > > > > > ./gwcfd2; > > > > > > > > > > > > I'll address this ASAP. > > > > > > > > > > I sent your POC and sample to the KiosTix people yesterday. At first, > > > > > they didn't acknowledge the leak because they thought you leaked the > > > > > old tickets. > > > > > > > > Didn't they read the dump.txt file I sent? It looks new to me... Or > > > > maybe I am the one who ate their sweet honeypot this time? > > > > > > No, I don't think that's a honeypot. I just confirmed that my new > > > tickets that already use UUIDv4 are in your dump too. So it's legit; > > > they just didn't understand what you're trying to inform. > > > > Doubt, did you talk to a dev or a manager? I guess you were talking to > > a manager who doesn't understand the technical stuff behind this. > > To both of them, actually. Initially, I was talking to the "head of > sales & partnetship" person. Then she created a WA group where I > directly talk to the dev. mending turu :/ -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 0:29 ` Alviro Iskandar Setiawan @ 2023-04-22 0:41 ` Ammar Faizi 2023-04-22 0:54 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 0:41 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote: > mending turu :/ Good point! For now, I am going to do my daily morning ritual and memory consolidation __("called sleep 😴😴😴")__. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 0:41 ` Ammar Faizi @ 2023-04-22 0:54 ` Alviro Iskandar Setiawan 2023-04-22 1:01 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 0:54 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 7:41 AM Ammar Faizi wrote: > On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote: > > mending turu :/ > > Good point! For now, I am going to do my daily morning ritual and memory > consolidation __("called sleep 😴😴😴")__. I wish I could, still meeting my family members. Idul fitri is a tiring holiday, especially for a no-life-weeb (like me). -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 0:54 ` Alviro Iskandar Setiawan @ 2023-04-22 1:01 ` Ammar Faizi 2023-04-22 2:35 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 1:01 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 07:54:05AM +0700, Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 7:41 AM Ammar Faizi wrote: > > On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote: > > > mending turu :/ > > > > Good point! For now, I am going to do my daily morning ritual and memory > > consolidation __("called sleep 😴😴😴")__. > > I wish I could, still meeting my family members. Idul fitri is a > tiring holiday, especially for a no-life-weeb (like me). Eat it!!! (and have fun) -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 1:01 ` Ammar Faizi @ 2023-04-22 2:35 ` Ammar Faizi 2023-04-22 6:02 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 2:35 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 08:01:36AM +0700, Ammar Faizi wrote: > On Sat, Apr 22, 2023 at 07:54:05AM +0700, Alviro Iskandar Setiawan wrote: > > On Sat, Apr 22, 2023 at 7:41 AM Ammar Faizi wrote: > > > On Sat, Apr 22, 2023 at 07:29:09AM +0700, Alviro Iskandar Setiawan wrote: > > > > mending turu :/ They just said they have fixed the vuln. Please verify that it's actually fixed, then you can sleep well. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 2:35 ` Ammar Faizi @ 2023-04-22 6:02 ` Alviro Iskandar Setiawan 2023-04-22 6:38 ` Ammar Faizi 2023-04-22 22:58 ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan 0 siblings, 2 replies; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 6:02 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote: > They just said they have fixed the vuln. Please verify that it's > actually fixed, then you can sleep well. Looks good to me. Now the endpoint returns {"success":false}. Acked-by: Alviro Iskandar Setiawan <[email protected]> -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 6:02 ` Alviro Iskandar Setiawan @ 2023-04-22 6:38 ` Ammar Faizi 2023-04-22 6:53 ` Alviro Iskandar Setiawan 2023-04-22 22:58 ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan 1 sibling, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 6:38 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 01:02:49PM +0700, Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote: > > They just said they have fixed the vuln. Please verify that it's > > actually fixed, then you can sleep well. > > Looks good to me. Now the endpoint returns {"success":false}. > > Acked-by: Alviro Iskandar Setiawan <[email protected]> Thanks for testing. I'll report it. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 6:38 ` Ammar Faizi @ 2023-04-22 6:53 ` Alviro Iskandar Setiawan 2023-04-22 7:49 ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 6:53 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 1:38 PM Ammar Faizi wrote: > Thanks for testing. I'll report it. See you guys in Jakarta. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Telegram bot? (was: Re: CF ticketing system is still vulnerable) 2023-04-22 6:53 ` Alviro Iskandar Setiawan @ 2023-04-22 7:49 ` Ammar Faizi 2023-04-22 7:52 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 7:49 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 01:53:47PM +0700, Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 1:38 PM Ammar Faizi wrote: > See you guys in Jakarta. Strictly speaking, Tangerang. But yeah, touching Jakarta is inevitable. Looking forward to it! [ - Moving Moe to Bcc (check list if you're interested). - Adding Irvan to Cc. ] Move on. I plan to continue the bot development, are you done with the pending pull requests? It seems it's a good time to get it deployed soon. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: Telegram bot? (was: Re: CF ticketing system is still vulnerable) 2023-04-22 7:49 ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi @ 2023-04-22 7:52 ` Alviro Iskandar Setiawan 2023-04-22 7:59 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 7:52 UTC (permalink / raw) To: Ammar Faizi; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 2:49 PM Ammar Faizi wrote: > > Strictly speaking, Tangerang. But yeah, touching Jakarta is inevitable. > Looking forward to it! Right, my mistake. > I plan to continue the bot development, are you done with the pending > pull requests? It seems it's a good time to get it deployed soon. Almost forgot. Good time to start that again. I took a break with that honestly. Let me get it continued again today. Not bad for holiday activities. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: Telegram bot? (was: Re: CF ticketing system is still vulnerable) 2023-04-22 7:52 ` Alviro Iskandar Setiawan @ 2023-04-22 7:59 ` Ammar Faizi 2023-04-22 8:00 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 7:59 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 02:52:42PM +0700, Alviro Iskandar Setiawan wrote: > Let me get it continued again today. Did you push your work to an online git tree? I am not going to directly merge it, but just want to see the changes. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: Telegram bot? (was: Re: CF ticketing system is still vulnerable) 2023-04-22 7:59 ` Ammar Faizi @ 2023-04-22 8:00 ` Alviro Iskandar Setiawan 0 siblings, 0 replies; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 8:00 UTC (permalink / raw) To: Ammar Faizi; +Cc: Irvan Malik Azantha, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 2:59 PM Ammar Faizi wrote: > On Sat, Apr 22, 2023 at 02:52:42PM +0700, Alviro Iskandar Setiawan wrote: > > Let me get it continued again today. > > Did you push your work to an online git tree? I am not going to > directly merge it, but just want to see the changes. Still tmp commits, need rebase and real commit message of course https://github.com/alviroiskandar/GNUWeebBot2/tree/dev (last touched: last week) -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 6:02 ` Alviro Iskandar Setiawan 2023-04-22 6:38 ` Ammar Faizi @ 2023-04-22 22:58 ` Alviro Iskandar Setiawan 2023-04-22 23:06 ` Ammar Faizi 1 sibling, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 22:58 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sat, Apr 22, 2023 at 1:02 PM Alviro Iskandar Setiawan wrote: > On Sat, Apr 22, 2023 at 9:35 AM Ammar Faizi wrote: > > They just said they have fixed the vuln. Please verify that it's > > actually fixed, then you can sleep well. > > Looks good to me. Now the endpoint returns {"success":false}. Back to this again, I am not sure if the fix is proper. I get HTTP 500 when accessing it from libcurl in my C program: > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 > * Using Stream ID: 1 (easy handle 0x7f19f0000b70) > > GET /<URI> HTTP/2 > > Host: kiostix.com > > user-agent: curl/7.81.0 > > accept: */* > > * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! > < HTTP/2 500 > < content-type: application/json; charset=utf-8 > < content-length: 17 > < date: Sat, 22 Apr 2023 22:45:27 GMT > < access-control-allow-credentials: true > < access-control-allow-origin: * > < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT > < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version > < etag: "zngjl94gbkh" > < vary: Accept-Encoding > < x-cache: Error from cloudfront > < via: 1.1 6f91c725c3d4f2326304347075e516a4.cloudfront.net (CloudFront) > < x-amz-cf-pop: SIN2-P1 > < x-amz-cf-id: _2tJGxIIYax9O0HQ6DexdXe1EYH_u8_Ow1d5Z6N2G9mGSRU2RRGkKw== > < > * Connection #0 to host kiostix.com left intact > {"success":false} But if I access it from curl cmd: > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > > GET /<URI> HTTP/2 > > Host: kiostix.com > > user-agent: curl/7.81.0 > > accept: */* > > > * TLSv1.2 (IN), TLS header, Supplemental data (23): > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): > * TLSv1.2 (IN), TLS header, Supplemental data (23): > * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > * TLSv1.2 (IN), TLS header, Supplemental data (23): > < HTTP/2 200 > < content-type: application/json; charset=utf-8 > < content-length: 167 > < date: Thu, 20 Apr 2023 23:12:21 GMT > < access-control-allow-credentials: true > < access-control-allow-origin: * > < access-control-allow-methods: GET,OPTIONS,PATCH,DELETE,POST,PUT > < access-control-allow-headers: X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version > < etag: "d65958y5yu4n" > < vary: Accept-Encoding > < x-cache: RefreshHit from cloudfront > < via: 1.1 8d08de7fce6cdb6f648bade508fa2926.cloudfront.net (CloudFront) > < x-amz-cf-pop: SIN2-P1 > < x-amz-cf-id: 3CtjmR6LPdqP4wVerazXS7DVYSVaPdEYQ609h-Uczw9UgjeQ6W-BFw== > < age: 171251 > < > * TLSv1.2 (IN), TLS header, Supplemental data (23): > * Connection #0 to host kiostix.com left intact > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} That means it's not fixed. Also, HTTP 500 indicates internal server error. It seems something goes very wrong with their fix attempt. So yes, it's still vulnerable when I write this email. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 22:58 ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan @ 2023-04-22 23:06 ` Ammar Faizi 2023-04-22 23:11 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 23:06 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 05:58:09AM +0700, Alviro Iskandar Setiawan wrote: > Back to this again, I am not sure if the fix is proper. I get HTTP 500 > when accessing it from libcurl in my C program: > [...] > > {"success":false} > > But if I access it from curl cmd: [...] > > {"success":true,"etickets":[<snip>]} > > That means it's not fixed. Also, HTTP 500 indicates internal server > error. It seems something goes very wrong with their fix attempt. So > yes, it's still vulnerable when I write this email. In other words, they only block your POC, but the endpoint is still accessible if you use another program? -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 23:06 ` Ammar Faizi @ 2023-04-22 23:11 ` Alviro Iskandar Setiawan 2023-04-22 23:23 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 23:11 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 6:06 AM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 05:58:09AM +0700, Alviro Iskandar Setiawan wrote: > > Back to this again, I am not sure if the fix is proper. I get HTTP 500 > > when accessing it from libcurl in my C program: > > > [...] > > > {"success":false} > > > > But if I access it from curl cmd: > [...] > > > {"success":true,"etickets":[<snip>]} > > > > That means it's not fixed. Also, HTTP 500 indicates internal server > > error. It seems something goes very wrong with their fix attempt. So > > yes, it's still vulnerable when I write this email. > > In other words, they only block your POC, but the endpoint is still > accessible if you use another program? Yes. But I'm not sure what the difference is. I'm fully confident that the header requests I sent via my POC and via curl cmd are the same. Summary: - Access from browser: {"success":false} - Access from my POC: {"success":false} - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} I guess it's something about CDN. But I don't have enough info to make a conclusion about the technical details. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 23:11 ` Alviro Iskandar Setiawan @ 2023-04-22 23:23 ` Alviro Iskandar Setiawan 2023-04-22 23:36 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-22 23:23 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > Summary: > - Access from browser: {"success":false} > - Access from my POC: {"success":false} > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} Using real login with cookies can only get tickets that the user owns. But if I remove the cookies, it can get any ticket just like previously (from curl cmd). -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 23:23 ` Alviro Iskandar Setiawan @ 2023-04-22 23:36 ` Ammar Faizi 2023-04-23 1:28 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-22 23:36 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > Summary: > > - Access from browser: {"success":false} > > - Access from my POC: {"success":false} > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > Using real login with cookies can only get tickets that the user owns. > But if I remove the cookies, it can get any ticket just like > previously (from curl cmd). Confirmed. I can reproduce it. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-22 23:36 ` Ammar Faizi @ 2023-04-23 1:28 ` Alviro Iskandar Setiawan 2023-04-23 1:31 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-23 1:28 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > Summary: > > > - Access from browser: {"success":false} > > > - Access from my POC: {"success":false} > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > Using real login with cookies can only get tickets that the user owns. > > But if I remove the cookies, it can get any ticket just like > > previously (from curl cmd). > > Confirmed. I can reproduce it. This looks like a CDN cache to me. Using cookies will provoke cache misses as the CDN can't decide anything about authentication. Thus, it ends up accessing the origin server to get the response. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 1:28 ` Alviro Iskandar Setiawan @ 2023-04-23 1:31 ` Alviro Iskandar Setiawan 2023-04-23 1:38 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-23 1:31 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > Summary: > > > > - Access from browser: {"success":false} > > > > - Access from my POC: {"success":false} > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > Using real login with cookies can only get tickets that the user owns. > > > But if I remove the cookies, it can get any ticket just like > > > previously (from curl cmd). > > > > Confirmed. I can reproduce it. > > This looks like a CDN cache to me. Using cookies will provoke cache > misses as the CDN can't decide anything about authentication. Thus, it > ends up accessing the origin server to get the response. With cookies: > < x-cache: Error from cloudfront > < age: 2 > {"success":false} Without cookies: > < x-cache: RefreshHit from cloudfront > < age: 181004 > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 1:31 ` Alviro Iskandar Setiawan @ 2023-04-23 1:38 ` Ammar Faizi 2023-04-23 1:47 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-23 1:38 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > > Summary: > > > > > - Access from browser: {"success":false} > > > > > - Access from my POC: {"success":false} > > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > > > Using real login with cookies can only get tickets that the user owns. > > > > But if I remove the cookies, it can get any ticket just like > > > > previously (from curl cmd). > > > > > > Confirmed. I can reproduce it. > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > misses as the CDN can't decide anything about authentication. Thus, it > > ends up accessing the origin server to get the response. > > With cookies: > > < x-cache: Error from cloudfront > > < age: 2 > > {"success":false} > > Without cookies: > > < x-cache: RefreshHit from cloudfront > > < age: 181004 > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} Great, good point! And "age: 181004" means the page you see has been 50.27 hours old. So we can say that they've fixed the vuln, but their CDN is still caching the vuln response. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 1:38 ` Ammar Faizi @ 2023-04-23 1:47 ` Alviro Iskandar Setiawan 2023-04-23 1:53 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-23 1:47 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > > > Summary: > > > > > > - Access from browser: {"success":false} > > > > > > - Access from my POC: {"success":false} > > > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > > > > > Using real login with cookies can only get tickets that the user owns. > > > > > But if I remove the cookies, it can get any ticket just like > > > > > previously (from curl cmd). > > > > > > > > Confirmed. I can reproduce it. > > > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > > misses as the CDN can't decide anything about authentication. Thus, it > > > ends up accessing the origin server to get the response. > > > > With cookies: > > > < x-cache: Error from cloudfront > > > < age: 2 > > > {"success":false} > > > > Without cookies: > > > < x-cache: RefreshHit from cloudfront > > > < age: 181004 > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} > > Great, good point! > > And "age: 181004" means the page you see has been 50.27 hours old. So we > can say that they've fixed the vuln, but their CDN is still caching > the vuln response. Right, the only problem here is the tickets served by the CDN cache are still accessible. They must reset all tickets again. Otherwise, their attempt to protect CF tickets is in vain. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 1:47 ` Alviro Iskandar Setiawan @ 2023-04-23 1:53 ` Ammar Faizi 2023-04-23 3:33 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-23 1:53 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote: > > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > > > > Summary: > > > > > > > - Access from browser: {"success":false} > > > > > > > - Access from my POC: {"success":false} > > > > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > > > > > > > Using real login with cookies can only get tickets that the user owns. > > > > > > But if I remove the cookies, it can get any ticket just like > > > > > > previously (from curl cmd). > > > > > > > > > > Confirmed. I can reproduce it. > > > > > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > > > misses as the CDN can't decide anything about authentication. Thus, it > > > > ends up accessing the origin server to get the response. > > > > > > With cookies: > > > > < x-cache: Error from cloudfront > > > > < age: 2 > > > > {"success":false} > > > > > > Without cookies: > > > > < x-cache: RefreshHit from cloudfront > > > > < age: 181004 > > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} > > > > Great, good point! > > > > And "age: 181004" means the page you see has been 50.27 hours old. So we > > can say that they've fixed the vuln, but their CDN is still caching > > the vuln response. > > Right, the only problem here is the tickets served by the CDN cache > are still accessible. They must reset all tickets again. Otherwise, > their attempt to protect CF tickets is in vain. I have posted several questions regarding this to the KiosTix people. Will send you an update later. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 1:53 ` Ammar Faizi @ 2023-04-23 3:33 ` Alviro Iskandar Setiawan 2023-04-23 3:36 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-23 3:33 UTC (permalink / raw) To: Ammar Faizi; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 8:53 AM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote: > > > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > > > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > > > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > > > > > Summary: > > > > > > > > - Access from browser: {"success":false} > > > > > > > > - Access from my POC: {"success":false} > > > > > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > > > > > > > > > Using real login with cookies can only get tickets that the user owns. > > > > > > > But if I remove the cookies, it can get any ticket just like > > > > > > > previously (from curl cmd). > > > > > > > > > > > > Confirmed. I can reproduce it. > > > > > > > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > > > > misses as the CDN can't decide anything about authentication. Thus, it > > > > > ends up accessing the origin server to get the response. > > > > > > > > With cookies: > > > > > < x-cache: Error from cloudfront > > > > > < age: 2 > > > > > {"success":false} > > > > > > > > Without cookies: > > > > > < x-cache: RefreshHit from cloudfront > > > > > < age: 181004 > > > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} > > > > > > Great, good point! > > > > > > And "age: 181004" means the page you see has been 50.27 hours old. So we > > > can say that they've fixed the vuln, but their CDN is still caching > > > the vuln response. > > > > Right, the only problem here is the tickets served by the CDN cache > > are still accessible. They must reset all tickets again. Otherwise, > > their attempt to protect CF tickets is in vain. > > I have posted several questions regarding this to the KiosTix people. > Will send you an update later. Also, ask them, when do they delete the old tickets that use unix time? Because they are all still accessible even with cache miss responses. -- Viro ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 3:33 ` Alviro Iskandar Setiawan @ 2023-04-23 3:36 ` Ammar Faizi 2023-04-23 3:48 ` Moe 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-23 3:36 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Michael William Jonathan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 10:33:10AM +0700, Alviro Iskandar Setiawan wrote: > Also, ask them, when do they delete the old tickets that use unix > time? Because they are all still accessible even with cache miss > responses. I did ask the same question. It's unclear when. They said: [7:57 AM, 4/21/2023] Priska Narinda: Halo mas minal aidin walfaidzin yaaa… 🙏🏼🙏🏼 [7:57 AM, 4/21/2023] Priska Narinda: Yess pasti kita hapus bertahap yaaa -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 3:36 ` Ammar Faizi @ 2023-04-23 3:48 ` Moe 2023-04-23 3:56 ` Ammar Faizi 2023-04-23 5:35 ` Ammar Faizi 0 siblings, 2 replies; 36+ messages in thread From: Moe @ 2023-04-23 3:48 UTC (permalink / raw) To: Ammar Faizi, Alviro Iskandar Setiawan; +Cc: GNU/Weeb Mailing List [-- Attachment #1: Type: text/html, Size: 598 bytes --] ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 3:48 ` Moe @ 2023-04-23 3:56 ` Ammar Faizi 2023-04-23 5:23 ` Alviro Iskandar Setiawan 2023-04-23 5:35 ` Ammar Faizi 1 sibling, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-23 3:56 UTC (permalink / raw) To: Moe; +Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 03:48:27AM +0000, Moe wrote: > I think they just don't take this seriously. > > They always say that they have fixed known bugs without confirming it > first :v Yeah, that's what I hate about KiosTix. They don't seem to be competent in addressing security report. We don't even see any mitigation or immediate hot patch to address the vuln. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 3:56 ` Ammar Faizi @ 2023-04-23 5:23 ` Alviro Iskandar Setiawan 2023-04-23 5:28 ` Ammar Faizi 0 siblings, 1 reply; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-23 5:23 UTC (permalink / raw) To: Ammar Faizi; +Cc: Moe, GNU/Weeb Mailing List [-- Attachment #1: Type: text/plain, Size: 106 bytes --] This is just a test to send an HTML email. Want to see how bad it is when displayed on the lore. -- Viro [-- Attachment #2: Type: text/html, Size: 163 bytes --] ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 5:23 ` Alviro Iskandar Setiawan @ 2023-04-23 5:28 ` Ammar Faizi 2023-04-23 5:43 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 36+ messages in thread From: Ammar Faizi @ 2023-04-23 5:28 UTC (permalink / raw) To: Alviro Iskandar Setiawan; +Cc: Moe, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 12:23:48PM +0700, Alviro Iskandar Setiawan wrote: > This is just a test to send an HTML email. Want to see how bad it is when > displayed on the lore. Well, that looks good. It's because your email contains two parts. HTML and plain text. The lore can properly render the plain text part, but not the HTML. Not all mail clients do that though. I appreciate gmail for doing it. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 5:28 ` Ammar Faizi @ 2023-04-23 5:43 ` Alviro Iskandar Setiawan 0 siblings, 0 replies; 36+ messages in thread From: Alviro Iskandar Setiawan @ 2023-04-23 5:43 UTC (permalink / raw) To: Ammar Faizi; +Cc: Moe, GNU/Weeb Mailing List [-- Attachment #1: Type: text/plain, Size: 534 bytes --] On Sun, Apr 23, 2023 at 12:29 PM Ammar Faizi wrote: > On Sun, Apr 23, 2023 at 12:23:48PM +0700, Alviro Iskandar Setiawan wrote: > > This is just a test to send an HTML email. Want to see how bad it is when > > displayed on the lore. > > Well, that looks good. It's because your email contains two parts. HTML > and plain text. > > The lore can properly render the plain text part, but not the HTML. Not > all mail clients do that though. I appreciate gmail for doing it. > yea, it also auto word-wraps :v -- Viro [-- Attachment #2: Type: text/html, Size: 880 bytes --] ^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: CF ticketing system is still vulnerable 2023-04-23 3:48 ` Moe 2023-04-23 3:56 ` Ammar Faizi @ 2023-04-23 5:35 ` Ammar Faizi 1 sibling, 0 replies; 36+ messages in thread From: Ammar Faizi @ 2023-04-23 5:35 UTC (permalink / raw) To: Moe; +Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List On Sun, Apr 23, 2023 at 03:48:27AM +0000, Moe wrote: > <unreadable HTML gunk> Apart from this HTML issue, your Xiaomi mail client doesn't preserve the "References" header which make the reference to the previous thread lost. I recommend to use gmail and Thunderbird (for desktop). I personally use "mutt mail client" (it runs on CLI). It's a nice mail client with rich features, but it takes so much time to learn the keys, obviously not the first choice for starting. -- Ammar Faizi ^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2023-04-23 5:43 UTC | newest] Thread overview: 36+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- [not found] <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com> 2023-04-21 0:45 ` CF ticketing system is still vulnerable Ammar Faizi 2023-04-21 23:21 ` Ammar Faizi 2023-04-21 23:41 ` Alviro Iskandar Setiawan 2023-04-21 23:50 ` Ammar Faizi 2023-04-22 0:09 ` Alviro Iskandar Setiawan 2023-04-22 0:18 ` Ammar Faizi 2023-04-22 0:29 ` Alviro Iskandar Setiawan 2023-04-22 0:41 ` Ammar Faizi 2023-04-22 0:54 ` Alviro Iskandar Setiawan 2023-04-22 1:01 ` Ammar Faizi 2023-04-22 2:35 ` Ammar Faizi 2023-04-22 6:02 ` Alviro Iskandar Setiawan 2023-04-22 6:38 ` Ammar Faizi 2023-04-22 6:53 ` Alviro Iskandar Setiawan 2023-04-22 7:49 ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi 2023-04-22 7:52 ` Alviro Iskandar Setiawan 2023-04-22 7:59 ` Ammar Faizi 2023-04-22 8:00 ` Alviro Iskandar Setiawan 2023-04-22 22:58 ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan 2023-04-22 23:06 ` Ammar Faizi 2023-04-22 23:11 ` Alviro Iskandar Setiawan 2023-04-22 23:23 ` Alviro Iskandar Setiawan 2023-04-22 23:36 ` Ammar Faizi 2023-04-23 1:28 ` Alviro Iskandar Setiawan 2023-04-23 1:31 ` Alviro Iskandar Setiawan 2023-04-23 1:38 ` Ammar Faizi 2023-04-23 1:47 ` Alviro Iskandar Setiawan 2023-04-23 1:53 ` Ammar Faizi 2023-04-23 3:33 ` Alviro Iskandar Setiawan 2023-04-23 3:36 ` Ammar Faizi 2023-04-23 3:48 ` Moe 2023-04-23 3:56 ` Ammar Faizi 2023-04-23 5:23 ` Alviro Iskandar Setiawan 2023-04-23 5:28 ` Ammar Faizi 2023-04-23 5:43 ` Alviro Iskandar Setiawan 2023-04-23 5:35 ` Ammar Faizi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox