I'm bored, so I thought I might let you in on some of the vulnerable-ish features over EM. If any mod / admin ever feel like making this place really secure, here's a few points for you.
note: I won't be going into too much detail on this, so this doesn't become an epicmafia script-kiddie cheatsheet.
Ordered by how critical they are, up to my opinion.
remote code exec via fileupload to family page.
- Most of the files (i.e profile pictures) are uploaded to em-uploads, which is a seperate image server, so in case somebody ever bypasses the file format ( I won't go into detail as to how you do it unless mods refer to me with it, but the formatter doesnt check nullbytes correctly ), you get access to some meainingless server that nobody cares about. Although, family pictures are saved on the server: I.e https://epicmafia.com/family/9055 - our image is saved at /uploads/families/9055_original.jpg , localpath.
CSRF in comments.
- The comments posted have zero (0) CSRF protection in them. I could legit just make a dude post his password with the right parameters, post a link to a page i made, and passwords will be floating around the comments.
XSS
- I won't go into details because everyone could literally just use this now, but try making an image link to an image (![[image number][description]][desc]) and see what happens. That breaks context, and in some of the areas of the site there is a vulnerability. For further details, have a mod contact me personally, I can demonstrate.
same origin policy bypass.
- If somebody does find the XSS, there's certain places where you could freely upload an image from an outside source (that's not imgur or EM uploads, and thus can be a personal domain). Using side channel attacks, you could bypass same origin policy.
Proxied DoS (It's a feature!) in games.
- Many of the in-game features are protected in the clientside. I mean, are you serious? Ghost game comments has a character limit of 100 per comment, but if you edit the max-character attribute I could legit post any size I want that gets into HTTP, that means DDoS on players that goes through the server.
DoS via file extensions on avatars.
- The file extensions on avatars arnt checked properly. That allows you to upload some of those cool gifs as avis, but that can also create a large set of unmonitored traffic if you abuse it a certain way.
DoS via bad indexing.
- Somebody needs to teach Lucid how to use nginx. Are you legit redirecting into the most traffic-ful page when somebody goes to a badly indexed page?
open redirect.
- There is an open redirect through the error pages with a certain HTTP header.
information disclosure at login.
- The way EM handles a log-in allows to figure if a certain username exists or not. That isn't very vulnerable, because there is a good captcha at use, although it's not a good practice.
Feel free to ask whatever, but Im saying ahead I wont answer much as to how to do most of these ( except to a mod or an admin that are willing to fix it ).
I challange you, EM, to fix half of these in a week.
