From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682214832; bh=f/BgGqyN44PseTOWttbJvW+QAWSvIBkAjza00VsXaBI=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=MTKQ+xgbT67U0Mkp3p2EesSEO5r/CCzNatMO0Iz8YitbLK8fuOrYL7g+Xr5kEAU5w VRoE9kqx3JWPJCLwoBzsCx2i0m3jrsaL6OU1RSRjEcHzrU7/s3fgwp+WA6wpJNS4n2 RAspiIQMOweAUcshU4etko1FN8ITQmXX2RtQUcauWaFisEhjdNuecIhhx9kkwVb2yI A0twEn+ZdFWWl8Nu2ts4nkOR8BvuDkVZm790yHws07C3BjMhnD6Z2a/MdkJTV4tolE M718plLm9bv+oh+FXwUjO6QjI/j9v1Rmfmj+4u3Qf/rHYTiRpfLuCVvakg3oGejP9B pK/fjx8quwHYQ== Received: from biznet-home.integral.gnuweeb.org (unknown [182.2.68.80]) by gnuweeb.org (Postfix) with ESMTPSA id D6C012457F9; Sun, 23 Apr 2023 08:53:51 +0700 (WIB) Date: Sun, 23 Apr 2023 08:53:48 +0700 From: Ammar Faizi To: Alviro Iskandar Setiawan Cc: Michael William Jonathan , GNU/Weeb Mailing List Subject: Re: CF ticketing system is still vulnerable Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Bpl: hUx9VaHkTWcLO7S8CQCslj6OzqBx2hfLChRz45nPESx5VSB/xuJQVOKOB1zSXE3yc9ntP27bV1M1 List-Id: On Sun, Apr 23, 2023 at 08:47:16AM +0700, Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 8:38 AM Ammar Faizi wrote: > > On Sun, Apr 23, 2023 at 08:31:42AM +0700, Alviro Iskandar Setiawan wrote: > > > On Sun, Apr 23, 2023 at 8:28 AM Alviro Iskandar Setiawan wrote: > > > > On Sun, Apr 23, 2023 at 6:36 AM Ammar Faizi wrote: > > > > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrote: > > > > > > On Sun, Apr 23, 2023 at 6:11 AM Alviro Iskandar Setiawan wrote: > > > > > > > Summary: > > > > > > > - Access from browser: {"success":false} > > > > > > > - Access from my POC: {"success":false} > > > > > > > - Access from XHR (real login with cookies): {"success":true, "etickets": [...]} > > > > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": [...]} > > > > > > > > > > > > Using real login with cookies can only get tickets that the user owns. > > > > > > But if I remove the cookies, it can get any ticket just like > > > > > > previously (from curl cmd). > > > > > > > > > > Confirmed. I can reproduce it. > > > > > > > > This looks like a CDN cache to me. Using cookies will provoke cache > > > > misses as the CDN can't decide anything about authentication. Thus, it > > > > ends up accessing the origin server to get the response. > > > > > > With cookies: > > > > < x-cache: Error from cloudfront > > > > < age: 2 > > > > {"success":false} > > > > > > Without cookies: > > > > < x-cache: RefreshHit from cloudfront > > > > < age: 181004 > > > > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9492-f471a526dc84"]} > > > > Great, good point! > > > > And "age: 181004" means the page you see has been 50.27 hours old. So we > > can say that they've fixed the vuln, but their CDN is still caching > > the vuln response. > > Right, the only problem here is the tickets served by the CDN cache > are still accessible. They must reset all tickets again. Otherwise, > their attempt to protect CF tickets is in vain. I have posted several questions regarding this to the KiosTix people. Will send you an update later. -- Ammar Faizi