Program stats

17 vulnerabilities rewarded

4 days average response time

$50 average payout (last 12 weeks)

Latest hall of famers

Recently joined this program

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Multicraft. Every day new security issues and attack vectors are created. Multicraft strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Targets

Scope

Multicraft 2.1.0 was recently released.
Areas to focus

  • Docker container feature
  • Editable user roles
  • Two Factor authentication
  • Subdomain feature

Staff Login for Test Installation

  • Username: teststaff
  • Password: teststaffpassword123

In scope (ordered by priority)

  • Obtaining "root" access to the system as a normal user
  • Obtaining "admin" access to the panel as a normal user
  • Obtaining access to the panel or the daemon database as a normal user
  • Obtaining edit access to a server other than the one owned by the user
  • Running actions outside of the privilege of the current user (CSRF/XSS for example)

Out of scope

  • Issues arising from faulty/suboptimal configuration (this includes not using encrypted connections or having CSRF validation disabled in the settings)
  • Accessing files outside of the server directory as the server user
  • Access gained through external software
  • Bruteforce attacks
  • Bugs, such as XSS, that only affect legacy software or require exceedingly unlikely user interaction
  • Disclosure information that is public or does not present significant risk
  • Vulnerabilities that we determine to be an acceptable risk

Additional Information

When using own installation

  • Use free license (or any license you own)
  • Use latest 2.1.0, Linux 64bit version only
  • Use up to date Linux system
  • Secure installation according to security guide: http://multicraft.org/site/docs?view=security

When using sample installation

  • Login is shared between users, please don't change the login information
  • Installation is reset every 12 hours
  • If installation is broken somehow, please contact info@multicraft.org

Quick architecture overview

  • Front end panel written in PHP using Yii 1 framework
  • Back end daemon written in in Python 2.7
  • Communication using custom protocol over TCP
  • Communication secured using a "daemon password"
  • Main configuration file of panel is in protected/config/config.php
  • Main config of daemon is the multicraft.conf file
  • Two databases:
    • Daemon Database, shared between all daemons as well as the panel (daemon information, server information, players, commands, etc)
    • Panel database, only used by the panel (user information, server metadata)

Access information

Using own installation

  • Download package
    • http://www.multicraft.org/download/index?arch=linux64
  • Install using the installation instructions:
    • http://multicraft.org/site/page?view=install
    • http://www.youtube.com/watch?v=2qCZck_QmgU
  • Try obtaining admin/root/database/cross server access

Using sample installation

  • Visit http://78.46.123.96/multicraft/index.php
  • Log in using: testuser / testpassword123
  • Try obtaining admin/root/database/cross server access

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.