Back to Epicmafia

They should make a bug bounty

Linker
almost 6 years

> Lucid you high again, this used to be an XSS you fixed and now you broke it.

TL;DR: There's a bug when EM tries to write pinged messages. It has some funny results, not the old XSS or anything harmful, so im going on a rant. i may post pictures below, idk yet it depends how deep i get into this thread since its 3 AM. Somebody discovered this bug and created all users that can possibly produce it, until there's a new CSS sheet, or at least most that i checked.

So when you message in a lobby, the site constructs the message you're trying to send and lets it go through. The message is composed of HTML elements, essentially building blocks of the site. Sometimes, the site has to know personal information about you when constructing this message - i.e, certain users have colors, so this site has to know what user it is to decide what color message will be sent;

Passing the user to the elements has to be done safely; if it isn't, it could very well affect the layout and content of the page and cause an unwanted behavior. What I found is essentially an element handling which is done irresponsibly in some cases when you ping a user in-game.

The behavior is as such: pings generate two elements,an outer span which contains the styling of the ping and an inner div that has the text of the message. The outer span for some reason types the username in the class attribute of the element, and so if your username is included in any stylesheet at all in a gaming page ( i didn't check how wide this is, worked for me in main lobby so i assume it does for all lobbies ), layout is going to go wrong, funny and fast.

While testing this effect I experimented with the following stylesheet present in main lobby games: https://epicmafia.com/stylesheets/m/style.css?1543363854?1543363854

So I was trying to find a username which reproduces this bug, that doesn't exist yet, and I failed. apparently some people figured it out and didn't snitch like me, i.e https://epicmafia.com/user/692689#/ - look at their profile. the great most are noavis with no games - i.e user selected, container26, votebooth, etc. probably someone who figured out this bug. Ah nice for them, anyway lucid fix your broken site.

Lastly, example: this is what on my google chrome a ping to a user named success would look like:

Linker
almost 6 years

Psy420 says

Wow snitch


Look whoever did it took all the good users. Either you share or you get busted.
Shwartz99
almost 6 years
directed_at__Shwartz99
SteelixMega
almost 6 years
@sun makes a sun

@pixel makes small pixel-sized font

@pip makes white background for the line

Anybody know any other things like this?

Ik that there are others, like one that makes them big.
Linker
almost 6 years

Shwartz99 says

i dont get it the new css is identical https://www.diffchecker.com/ytfiFjRu


he didn't change the CSS, he changed the way names are inserted into the span classes. Nothing wrong with the CSS names having one word that could be a user, everything wrong with putting that username in the class attribute. lol
Psy
almost 6 years
Wow snitch
Shwartz99
almost 6 years
oh i get what he changed
Shwartz99
almost 6 years
i dont get it the new css is identical https://www.diffchecker.com/ytfiFjRu
Linker
almost 6 years

Shwartz99 says

its sad because i just snagged a new one, actionimg, and it was such a nice acct :(


rip shwaggy account
SteelixMega
almost 6 years
Cri
Linker
almost 6 years

admin says

thanks for the lengthy post! made it easy for me!


A fast reply & fix, what are you, some caring webmaster that attends to his site on a daily basis now? :)
Shwartz99
almost 6 years
its sad because i just snagged a new one, actionimg, and it was such a nice acct :(
Linker
almost 6 years

Shwartz99 says

*sobs* god damn you linker this friendship is OVER


You love me even if I come back to this game for like 5 minutes every 2 years.
Shwartz99
almost 6 years
*sobs* god damn you linker this friendship is OVER
Linker
almost 6 years

Shwartz99 says

also WAY ahead of you on this heres the list i compiled: https://pastebin.com/CdsjkTmy

all of the ones that are 4 letters long or more have been taken, and a great many that are 3 are also taken

so i guess your best bet to get one of these rare glitched accts is to buy a 3 or 2 letter username or beg xela for one


Earlier but incomplete. K you cool but did you find the XSS in image tags yet
Linker
almost 6 years

admin says

this was a funny exploit, i'll name it "cxss"


Lol you remember i reported to you the ghost lobby message length validation in clientside only?

You could drop somebodys chat with 4 GB of A in chat if you hated their ghosttells
admin
almost 6 years
this was a funny exploit, i'll name it "cxss"
admin
almost 6 years

Shwartz99 says

NO DONT FIX IT LUCID THEY ARENT EVEN USED FOR EXPLOITING ANYTHING EVIL


XD
Shwartz99
almost 6 years
NO DONT FIX IT LUCID THEY ARENT EVEN USED FOR EXPLOITING ANYTHING EVIL
admin
almost 6 years
thanks for the lengthy post! made it easy for me!
admin
almost 6 years
someone should have just emailed me, this will be fixed in 5 minutes
Shwartz99
almost 6 years
as a sidenote lucid does update the css to add more of these occasionally so good luck sniping one if they appear
Shwartz99
almost 6 years
also WAY ahead of you on this heres the list i compiled: https://pastebin.com/CdsjkTmy

all of the ones that are 4 letters long or more have been taken, and a great many that are 3 are also taken

so i guess your best bet to get one of these rare glitched accts is to buy a 3 or 2 letter username or beg xela for one
Shwartz99
almost 6 years
hey thats MY ALT YOU LINKED THERE
Linker
almost 6 years
Should I make the title catchy like, "cyber" or add a poll or something? I'm too tired to be thinking.