Back to Epicmafia

Epicly vulernable.

Linker
over 8 years

I'm bored, so I thought I might let you in on some of the vulnerable-ish features over EM. If any mod / admin ever feel like making this place really secure, here's a few points for you.

note: I won't be going into too much detail on this, so this doesn't become an epicmafia script-kiddie cheatsheet.

Ordered by how critical they are, up to my opinion.

remote code exec via fileupload to family page.

  • Most of the files (i.e profile pictures) are uploaded to em-uploads, which is a seperate image server, so in case somebody ever bypasses the file format ( I won't go into detail as to how you do it unless mods refer to me with it, but the formatter doesnt check nullbytes correctly ), you get access to some meainingless server that nobody cares about. Although, family pictures are saved on the server: I.e https://epicmafia.com/family/9055 - our image is saved at /uploads/families/9055_original.jpg , localpath.

CSRF in comments.

  • The comments posted have zero (0) CSRF protection in them. I could legit just make a dude post his password with the right parameters, post a link to a page i made, and passwords will be floating around the comments.

XSS

  • I won't go into details because everyone could literally just use this now, but try making an image link to an image (![[image number][description]][desc]) and see what happens. That breaks context, and in some of the areas of the site there is a vulnerability. For further details, have a mod contact me personally, I can demonstrate.

same origin policy bypass.

  • If somebody does find the XSS, there's certain places where you could freely upload an image from an outside source (that's not imgur or EM uploads, and thus can be a personal domain). Using side channel attacks, you could bypass same origin policy.

Proxied DoS (It's a feature!) in games.

  • Many of the in-game features are protected in the clientside. I mean, are you serious? Ghost game comments has a character limit of 100 per comment, but if you edit the max-character attribute I could legit post any size I want that gets into HTTP, that means DDoS on players that goes through the server.

DoS via file extensions on avatars.

  • The file extensions on avatars arnt checked properly. That allows you to upload some of those cool gifs as avis, but that can also create a large set of unmonitored traffic if you abuse it a certain way.

DoS via bad indexing.

  • Somebody needs to teach Lucid how to use nginx. Are you legit redirecting into the most traffic-ful page when somebody goes to a badly indexed page?

open redirect.

  • There is an open redirect through the error pages with a certain HTTP header.

information disclosure at login.

  • The way EM handles a log-in allows to figure if a certain username exists or not. That isn't very vulnerable, because there is a good captcha at use, although it's not a good practice.

Feel free to ask whatever, but Im saying ahead I wont answer much as to how to do most of these ( except to a mod or an admin that are willing to fix it ).

I challange you, EM, to fix half of these in a week.

Is EM secure
47
Nope
7
Not really
poser
over 8 years
so this thread is in spanish right? or is it german
Escurai
over 8 years

Linker says


Escurai says

Is the countdown to where you take down the site if all the problems aren't fixed?


Nuhhh, im just going to tinker around with the links so sandbox becomes competitive and competitive becomes sandbox :3


You'd be improving the player quality in gold hearts
Linker
over 8 years

Escurai says

Is the countdown to where you take down the site if all the problems aren't fixed?


Nuhhh, im just going to tinker around with the links so sandbox becomes competitive and competitive becomes sandbox :3
Escurai
over 8 years
Is the countdown to where you take down the site if all the problems aren't fixed?
Becomeclear
over 8 years
cringe af
nicoleyrenaa
over 8 years

Blister says


nicoleyrenaa says

By the way i want everyone to know that Linker ignored me and the potential to receive nudes to make this thread, so I'd say that this deserves attention.


he dodged a bullet there


my body does shoot bullets you're right
Linker
over 8 years

schutzekatze says


Linker says

I challange you, EM, to fix half of these in a week.


Hahahah yeah...

Jesus, I didn't test the site vulnerabilities, but these are pretty basic.

In my opinion, Epicmafia should be opensourced on a repository hosting service where the users could possibly contribute fixes. I know I would.


nuhhh, you'll just have a hoard of vulnerabilities flying at you. I am not a special snowflake, other people can find this kinda stuff too. If that's what i found within a bit less than an hour of blackbox, a whitebox is pretty much gonna let me drop table lucid beyond repair. not that we're that far away from this the way things are :P
deletedover 8 years
Whoever u are linker, u sexy nerdy beast
deletedover 8 years

nicoleyrenaa says

By the way i want everyone to know that Linker ignored me and the potential to receive nudes to make this thread, so I'd say that this deserves attention.


he dodged a bullet there
nicoleyrenaa
over 8 years
By the way i want everyone to know that Linker ignored me and the potential to receive nudes to make this thread, so I'd say that this deserves attention.
Nubie
over 8 years
nobody said lucid was tech savvy
schutzekatze
over 8 years

Linker says

I challange you, EM, to fix half of these in a week.


Hahahah yeah...

Jesus, I didn't test the site vulnerabilities, but these are pretty basic.

In my opinion, Epicmafia should be opensourced on a repository hosting service where the users could possibly contribute fixes. I know I would.
nicoleyrenaa
over 8 years
1o/1o thread baby
Linker
over 8 years
These are just some I felt like posting, there's more that I know of, and there's likely more that I dont. I just looked into it for a solid hour or so.
deletedover 8 years
Hey Adam, nice thread