From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ammarfaizi2@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham
	autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682213922;
	bh=I41ckAO0sSFXa3hKkMvoU5F6puMt0b5LvPMm6cqpvWE=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=Zie2tuMWokJH00sI/jNV8f2tfswEKE9BUlkzGHkmB29x/8Jt9S+WZUVB1oYUZjApK
	 ym1PMat16DgcIePLuZpBNJNhnugAkOe4uaa873gcgzORSCPutYZGN2Un50qMMVp4rD
	 nPbKgYCa3d798mj4OD4aISnjpcC2e12zA/pAhi3vZq0ZQw/WtNsbYSnBb86HIm4jtS
	 PeGDFzipKPo4dSpaWln77hzjaqwe8K3TV9e3zgNjy0MkscOoqE+uVw3NSIOJcCCR4w
	 oSK3B/Y3IrLxVzBTOtweJyEGUUcEUmnp/zJJTix9PTbj3KWdh3cvk7KIocBXvt1i9s
	 hqSNGBorElKrg==
Received: from biznet-home.integral.gnuweeb.org (unknown [182.2.68.80])
	by gnuweeb.org (Postfix) with ESMTPSA id 527E62457BE;
	Sun, 23 Apr 2023 08:38:41 +0700 (WIB)
Date: Sun, 23 Apr 2023 08:38:37 +0700
From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
To: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>,
	GNU/Weeb Mailing List <gwml@vger.gnuweeb.org>
Subject: Re: CF ticketing system is still vulnerable
Message-ID: <ZESMHZDr0K/nqYlT@biznet-home.integral.gnuweeb.org>
References: <ZEMx695Kl6rmZUEv@biznet-home.integral.gnuweeb.org>
 <ZENIBgfiQSnZcGS6@biznet-home.integral.gnuweeb.org>
 <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
 <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
 <ZERoaUptOd5Zq0gj@biznet-home.integral.gnuweeb.org>
 <CAOG64qPCF=iQVTwFzk=q0SHet2h+71cxJt3=jDuV-0Pf1Td3Xw@mail.gmail.com>
 <CAOG64qN_prvKLJ21A14zphG8UOXCN6OQ1dOQpuH+KEtr-SHgbw@mail.gmail.com>
 <ZERvkyIY5kz6vH7m@biznet-home.integral.gnuweeb.org>
 <CAOG64qPSwNb944tUzUm+TjCXZYJPUnBA0m4Q71-6mO6Bx3T4QQ@mail.gmail.com>
 <CAOG64qOCKhBCRtH6bhoZLJG5sz7ifdt4AzPZtZnbEnG+4hqKAQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAOG64qOCKhBCRtH6bhoZLJG5sz7ifdt4AzPZtZnbEnG+4hqKAQ@mail.gmail.com>
X-Bpl: hUx9VaHkTWcLO7S8CQCslj6OzqBx2hfLChRz45nPESx5VSB/xuJQVOKOB1zSXE3yc9ntP27bV1M1
List-Id: <gwml.vger.gnuweeb.org>

On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > Summary:
> > > > > - Access from browser: {"success":false}
> > > > > - Access from my POC: {"success":false}
> > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > >
> > > > Using real login with cookies can only get tickets that the user owns.
> > > > But if I remove the cookies, it can get any ticket just like
> > > > previously (from curl cmd).
> > >
> > > Confirmed. I can reproduce it.
> >
> > This looks like a CDN cache to me. Using cookies will provoke cache
> > misses as the CDN can't decide anything about authentication. Thus, it
> > ends up accessing the origin server to get the response.
> 
> With cookies:
> > < x-cache: Error from cloudfront
> > < age: 2
> > {"success":false}
> 
> Without cookies:
> > < x-cache: RefreshHit from cloudfront
> > < age: 181004
> > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}

Great, good point!

And "age: 181004" means the page you see has been 50.27 hours old. So we
can say that they've fixed the vuln, but their CDN is still caching
the vuln response.

-- 
Ammar Faizi