From: Ammar Faizi <[email protected]>
To: Alviro Iskandar Setiawan <[email protected]>
Cc: Michael William Jonathan <[email protected]>,
GNU/Weeb Mailing List <[email protected]>
Subject: Re: CF ticketing system is still vulnerable
Date: Sun, 23 Apr 2023 08:38:37 +0700 [thread overview]
Message-ID: <ZESMHZDr0K/[email protected]> (raw)
In-Reply-To: <CAOG64qOCKhBCRtH6bhoZLJG5sz7ifdt4AzPZtZnbEnG+4hqKAQ@mail.gmail.com>
On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > Summary:
> > > > > - Access from browser: {"success":false}
> > > > > - Access from my POC: {"success":false}
> > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]}
> > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]}
> > > >
> > > > Using real login with cookies can only get tickets that the user owns.
> > > > But if I remove the cookies, it can get any ticket just like
> > > > previously (from curl cmd).
> > >
> > > Confirmed. I can reproduce it.
> >
> > This looks like a CDN cache to me. Using cookies will provoke cache
> > misses as the CDN can't decide anything about authentication. Thus, it
> > ends up accessing the origin server to get the response.
>
> With cookies:
> > < x-cache: Error from cloudfront
> > < age: 2
> > {"success":false}
>
> Without cookies:
> > < x-cache: RefreshHit from cloudfront
> > < age: 181004
> > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}
Great, good point!
And "age: 181004" means the page you see has been 50.27 hours old. So we
can say that they've fixed the vuln, but their CDN is still caching
the vuln response.
--
Ammar Faizi
next prev parent reply other threads:[~2023-04-23 1:38 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com>
2023-04-21 0:45 ` CF ticketing system is still vulnerable Ammar Faizi
2023-04-21 23:21 ` Ammar Faizi
2023-04-21 23:41 ` Alviro Iskandar Setiawan
2023-04-21 23:50 ` Ammar Faizi
2023-04-22 0:09 ` Alviro Iskandar Setiawan
2023-04-22 0:18 ` Ammar Faizi
2023-04-22 0:29 ` Alviro Iskandar Setiawan
2023-04-22 0:41 ` Ammar Faizi
2023-04-22 0:54 ` Alviro Iskandar Setiawan
2023-04-22 1:01 ` Ammar Faizi
2023-04-22 2:35 ` Ammar Faizi
2023-04-22 6:02 ` Alviro Iskandar Setiawan
2023-04-22 6:38 ` Ammar Faizi
2023-04-22 6:53 ` Alviro Iskandar Setiawan
2023-04-22 7:49 ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi
2023-04-22 7:52 ` Alviro Iskandar Setiawan
2023-04-22 7:59 ` Ammar Faizi
2023-04-22 8:00 ` Alviro Iskandar Setiawan
2023-04-22 22:58 ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan
2023-04-22 23:06 ` Ammar Faizi
2023-04-22 23:11 ` Alviro Iskandar Setiawan
2023-04-22 23:23 ` Alviro Iskandar Setiawan
2023-04-22 23:36 ` Ammar Faizi
2023-04-23 1:28 ` Alviro Iskandar Setiawan
2023-04-23 1:31 ` Alviro Iskandar Setiawan
2023-04-23 1:38 ` Ammar Faizi [this message]
2023-04-23 1:47 ` Alviro Iskandar Setiawan
2023-04-23 1:53 ` Ammar Faizi
2023-04-23 3:33 ` Alviro Iskandar Setiawan
2023-04-23 3:36 ` Ammar Faizi
2023-04-23 3:48 ` Moe
2023-04-23 3:56 ` Ammar Faizi
2023-04-23 5:23 ` Alviro Iskandar Setiawan
2023-04-23 5:28 ` Ammar Faizi
2023-04-23 5:43 ` Alviro Iskandar Setiawan
2023-04-23 5:35 ` Ammar Faizi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZESMHZDr0K/[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox