GNU/Weeb Mailing List <[email protected]>
 help / color / mirror / Atom feed
From: Ammar Faizi <[email protected]>
To: Alviro Iskandar Setiawan <[email protected]>
Cc: Michael William Jonathan <[email protected]>,
	GNU/Weeb Mailing List <[email protected]>
Subject: Re: CF ticketing system is still vulnerable
Date: Sun, 23 Apr 2023 08:53:48 +0700	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAOG64qP1-u4-n8bQ9Rxr0YJtwRjm1M-00Pht0Kq6m-Q3MFTEsA@mail.gmail.com>

On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote:
> > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote:
> > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote:
> > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote:
> > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote:
> > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote:
> > > > > > > Summary:
> > > > > > > - Access from browser: {"success":false}
> > > > > > > - Access from my POC: {"success":false}
> > > > > > > - Access from XHR (real login with cookies):  {"success":true, "etickets": [...]}
> > > > > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": [...]}
> > > > > >
> > > > > > Using real login with cookies can only get tickets that the user owns.
> > > > > > But if I remove the cookies, it can get any ticket just like
> > > > > > previously (from curl cmd).
> > > > >
> > > > > Confirmed. I can reproduce it.
> > > >
> > > > This looks like a CDN cache to me. Using cookies will provoke cache
> > > > misses as the CDN can't decide anything about authentication. Thus, it
> > > > ends up accessing the origin server to get the response.
> > >
> > > With cookies:
> > > > < x-cache: Error from cloudfront
> > > > < age: 2
> > > > {"success":false}
> > >
> > > Without cookies:
> > > > < x-cache: RefreshHit from cloudfront
> > > > < age: 181004
> > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]}
> >
> > Great, good point!
> >
> > And "age: 181004" means the page you see has been 50.27 hours old. So we
> > can say that they've fixed the vuln, but their CDN is still caching
> > the vuln response.
> 
> Right, the only problem here is the tickets served by the CDN cache
> are still accessible. They must reset all tickets again. Otherwise,
> their attempt to protect CF tickets is in vain.

I have posted several questions regarding this to the KiosTix people.
Will send you an update later.

-- 
Ammar Faizi


  reply	other threads:[~2023-04-23  1:53 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAOG64qN7ZPE+twkvxWM8uq4NDsWzbUsXGYvrPxhf55YWG2G3Ww@mail.gmail.com>
2023-04-21  0:45 ` CF ticketing system is still vulnerable Ammar Faizi
2023-04-21 23:21   ` Ammar Faizi
2023-04-21 23:41     ` Alviro Iskandar Setiawan
2023-04-21 23:50       ` Ammar Faizi
2023-04-22  0:09         ` Alviro Iskandar Setiawan
2023-04-22  0:18           ` Ammar Faizi
2023-04-22  0:29             ` Alviro Iskandar Setiawan
2023-04-22  0:41               ` Ammar Faizi
2023-04-22  0:54                 ` Alviro Iskandar Setiawan
2023-04-22  1:01                   ` Ammar Faizi
2023-04-22  2:35                     ` Ammar Faizi
2023-04-22  6:02                       ` Alviro Iskandar Setiawan
2023-04-22  6:38                         ` Ammar Faizi
2023-04-22  6:53                           ` Alviro Iskandar Setiawan
2023-04-22  7:49                             ` Telegram bot? (was: Re: CF ticketing system is still vulnerable) Ammar Faizi
2023-04-22  7:52                               ` Alviro Iskandar Setiawan
2023-04-22  7:59                                 ` Ammar Faizi
2023-04-22  8:00                                   ` Alviro Iskandar Setiawan
2023-04-22 22:58                         ` CF ticketing system is still vulnerable Alviro Iskandar Setiawan
2023-04-22 23:06                           ` Ammar Faizi
2023-04-22 23:11                             ` Alviro Iskandar Setiawan
2023-04-22 23:23                               ` Alviro Iskandar Setiawan
2023-04-22 23:36                                 ` Ammar Faizi
2023-04-23  1:28                                   ` Alviro Iskandar Setiawan
2023-04-23  1:31                                     ` Alviro Iskandar Setiawan
2023-04-23  1:38                                       ` Ammar Faizi
2023-04-23  1:47                                         ` Alviro Iskandar Setiawan
2023-04-23  1:53                                           ` Ammar Faizi [this message]
2023-04-23  3:33                                             ` Alviro Iskandar Setiawan
2023-04-23  3:36                                               ` Ammar Faizi
2023-04-23  3:48                                                 ` Moe
2023-04-23  3:56                                                   ` Ammar Faizi
2023-04-23  5:23                                                     ` Alviro Iskandar Setiawan
2023-04-23  5:28                                                       ` Ammar Faizi
2023-04-23  5:43                                                         ` Alviro Iskandar Setiawan
2023-04-23  5:35                                                   ` Ammar Faizi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox