Epicmafia

They should make a bug bounty

almost 6 years

> Lucid you high again, this used to be an XSS you fixed and now you broke it.

TL;DR: There's a bug when EM tries to write pinged messages. It has some funny results, not the old XSS or anything harmful, so im going on a rant. i may post pictures below, idk yet it depends how deep i get into this thread since its 3 AM. Somebody discovered this bug and created all users that can possibly produce it, until there's a new CSS sheet, or at least most that i checked.

So when you message in a lobby, the site constructs the message you're trying to send and lets it go through. The message is composed of HTML elements, essentially building blocks of the site. Sometimes, the site has to know personal information about you when constructing this message - i.e, certain users have colors, so this site has to know what user it is to decide what color message will be sent;

Passing the user to the elements has to be done safely; if it isn't, it could very well affect the layout and content of the page and cause an unwanted behavior. What I found is essentially an element handling which is done irresponsibly in some cases when you ping a user in-game.

The behavior is as such: pings generate two elements,an outer span which contains the styling of the ping and an inner div that has the text of the message. The outer span for some reason types the username in the class attribute of the element, and so if your username is included in any stylesheet at all in a gaming page ( i didn't check how wide this is, worked for me in main lobby so i assume it does for all lobbies ), layout is going to go wrong, funny and fast.

While testing this effect I experimented with the following stylesheet present in main lobby games: https://epicmafia.com/stylesheets/m/style.css?1543363854?1543363854

So I was trying to find a username which reproduces this bug, that doesn't exist yet, and I failed. apparently some people figured it out and didn't snitch like me, i.e https://epicmafia.com/user/692689#/ - look at their profile. the great most are noavis with no games - i.e user selected, container26, votebooth, etc. probably someone who figured out this bug. Ah nice for them, anyway lucid fix your broken site.

Lastly, example: this is what on my google chrome a ping to a user named success would look like:

JM123

almost 6 years

Shwartz99 says

throwback

SteelixMega

almost 6 years

It does not show up on my phone

Linker

almost 6 years

SteelixMega says

SteelixMega says

Linker says

Guy who likes pokemon that used to be good for like 1 generation, do you know the XSS in images?

naw im 15. Also where does it say the usernames?

It doesn't anymore, but click the pic in the end of the post and you will see "success" in there where the names used to be.

SteelixMega

almost 6 years

SteelixMega says

Linker says

Guy who likes pokemon that used to be good for like 1 generation, do you know the XSS in images?

naw im 15. Also where does it say the usernames?

nicoleyrenaa

almost 6 years

wtf nerd

Shwartz99

almost 6 years

Linker

almost 6 years

pixel says

NO THIS IS NOT OK

You the champ. Here I got your problem fixed. You love me now?

deletedalmost 6 years

NO THIS IS NOT OK

Psy

almost 6 years

Linker says

I thought a person who had their friend fall for such a serious condition would be careful enough not to fall for the old logout link-in-a-link

my friend has stage 5 dihydrogen monoxide poisoning and you expect me to use logic? with my brain? you must be joking. The insensitivity on this site is unreal

SteelixMega

almost 6 years

Linker says

Psy420 says

SteelixMega says

Psy420 says

don't fix this exploit its funny and harmless my best friend has been poisoned by dihydrogen monoxide and has cancer and his last wish is for glitch accounts to stay

oh shoot I heard about that epidemic.

www.dhmo.org/facts

idk what that just did but if that stole my password im suing

I thought a person who had their friend fall for such a serious condition would be careful enough not to fall for the old logout link-in-a-link

"serious condition" it's water you headass

SteelixMega

almost 6 years

Linker says

Guy who likes pokemon that used to be good for like 1 generation, do you know the XSS in images?

I don't like Pokemon, it was just a username I made while bypassing suspensions after I claimed I hacked the site. Long story there Adam.

Linker

almost 6 years

Psy420 says

SteelixMega says

Psy420 says

don't fix this exploit its funny and harmless my best friend has been poisoned by dihydrogen monoxide and has cancer and his last wish is for glitch accounts to stay

oh shoot I heard about that epidemic.

www.dhmo.org/facts

idk what that just did but if that stole my password im suing

I thought a person who had their friend fall for such a serious condition would be careful enough not to fall for the old logout link-in-a-link

Furansu

almost 6 years

rest in pepperonis

SteelixMega

almost 6 years

Linker says

Guy who likes pokemon that used to be good for like 1 generation, do you know the XSS in images?

naw im 15. Also where does it say the usernames?

SteelixMega

almost 6 years

Also I forgot about a user called center, I believe, where their text centers the line

Linker

almost 6 years

Guy who likes pokemon that used to be good for like 1 generation, do you know the XSS in images?

SteelixMega

almost 6 years

Linker says

SteelixMega says

@sun makes a sun

@pixel makes small pixel-sized font

@pip makes white background for the line

Anybody know any other things like this?

Ik that there are others, like one that makes them big.

Look at shwarts pastebin for starters:
https://pastebin.com/CdsjkTmy
Or at the css file i posted for more.

idk how to read lolz

SteelixMega

almost 6 years

Lmfao gotem

Psy

almost 6 years

SteelixMega says

Psy420 says

don't fix this exploit its funny and harmless my best friend has been poisoned by dihydrogen monoxide and has cancer and his last wish is for glitch accounts to stay

oh shoot I heard about that epidemic.

www.dhmo.org/facts

idk what that just did but if that stole my password im suing

SteelixMega

almost 6 years

Psy420 says

don't fix this exploit its funny and harmless my best friend has been poisoned by dihydrogen monoxide and has cancer and his last wish is for glitch accounts to stay

oh shoot I heard about that epidemic.

www.dhmo.org/facts.html

admin

almost 6 years

Shwartz99 says

this is now PERSONAL LUCID

lol, i was like, why am i in outcast

Psy

almost 6 years

don't fix this exploit its funny and harmless my best friend has been poisoned by dihydrogen monoxide and has cancer and his last wish is for glitch accounts to stay

Shwartz99

almost 6 years

this is now PERSONAL LUCID

SteelixMega

almost 6 years

Actually lucid, can you do one of those effects on my pings?

Linker

almost 6 years

SteelixMega says

@sun makes a sun

@pixel makes small pixel-sized font

@pip makes white background for the line

Anybody know any other things like this?

Ik that there are others, like one that makes them big.

Look at shwarts pastebin for starters:
https://pastebin.com/CdsjkTmy
Or at the css file i posted for more.