From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682213922; bh=I41ckAO0sSFXa3hKkMvoU5F6puMt0b5LvPMm6cqpvWE=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Zie2tuMWokJH00sI/jNV8f2tfswEKE9BUlkzGHkmB29x/8Jt9S+WZUVB1oYUZjApK ym1PMat16DgcIePLuZpBNJNhnugAkOe4uaa873gcgzORSCPutYZGN2Un50qMMVp4rD nPbKgYCa3d798mj4OD4aISnjpcC2e12zA/pAhi3vZq0ZQw/WtNsbYSnBb86HIm4jtS PeGDFzipKPo4dSpaWln77hzjaqwe8K3TV9e3zgNjy0MkscOoqE+uVw3NSIOJcCCR4w oSK3B/Y3IrLxVzBTOtweJyEGUUcEUmnp/zJJTix9PTbj3KWdh3cvk7KIocBXvt1i9s hqSNGBorElKrg== Received: from biznet-home.integral.gnuweeb.org (unknown [182.2.68.80]) by gnuweeb.org (Postfix) with ESMTPSA id 527E62457BE; Sun, 23 Apr 2023 08:38:41 +0700 (WIB) Date: Sun, 23 Apr 2023 08:38:37 +0700 From: Ammar Faizi To: Alviro Iskandar Setiawan Cc: Michael William Jonathan , GNU/Weeb Mailing List Subject: Re: CF ticketing system is still vulnerable Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Bpl: hUx9VaHkTWcLO7S8CQCslj6OzqBx2hfLChRz45nPESx5VSB/xuJQVOKOB1zSXE3yc9ntP27bV1M1 List-Id: On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > > Summary: > > > > > - Access from browser: {"success":false} > > > > > - Access from my POC: {"success":false} > > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > > > Using real login with cookies can only get tickets that the user owns. > > > > But if I remove the cookies, it can get any ticket just like > > > > previously (from curl cmd). > > > > > > Confirmed. I can reproduce it. > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > misses as the CDN can't decide anything about authentication. Thus, it > > ends up accessing the origin server to get the response. > > With cookies: > > < x-cache: Error from cloudfront > > < age: 2 > > {"success":false} > > Without cookies: > > < x-cache: RefreshHit from cloudfront > > < age: 181004 > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} Great, good point! And "age: 181004" means the page you see has been 50.27 hours old. So we can say that they've fixed the vuln, but their CDN is still caching the vuln response. -- Ammar Faizi