We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Multicraft. Every day new security issues and attack vectors are created. Multicraft strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Targets

In scope

Scope

Multicraft 2.1.0 was recently released.
Areas to focus
- Docker container feature
- Editable user roles
- Two Factor authentication
- Subdomain feature

Staff Login for Test Installation
- Username: teststaff
- Password: teststaffpassword123

In scope (ordered by priority)

  • Obtaining "root" access to the system as a normal user
  • Obtaining "admin" access to the panel as a normal user
  • Obtaining access to the panel or the daemon database as a normal user
  • Obtaining edit access to a server other than the one owned by the user
  • Running actions outside of the privilege of the current user (CSRF/XSS for example)

Out of scope

  • Issues arising from faulty/suboptimal configuration (this includes not using encrypted connections or having CSRF validation disabled in the settings)
  • Accessing files outside of the server directory as the server user
  • Access gained through external software
  • Bruteforce attacks
  • Bugs, such as XSS, that only affect legacy software or require exceedingly unlikely user interaction
  • Disclosure information that is public or does not present significant risk
  • Vulnerabilities that we determine to be an acceptable risk

Additional Information

When using own installation

  • Use free license (or any license you own)
  • Use latest 2.1.0, Linux 64bit version only
  • Use up to date Linux system
  • Secure installation according to security guide: http://multicraft.org/site/docs?view=security

When using sample installation

  • Login is shared between users, please don't change the login information
  • Installation is reset every 12 hours
  • If installation is broken somehow, please contact info@multicraft.org

Quick architecture overview

  • Front end panel written in PHP using Yii 1 framework
  • Back end daemon written in in Python 2.7
  • Communication using custom protocol over TCP
  • Communication secured using a "daemon password"
  • Main configuration file of panel is in protected/config/config.php
  • Main config of daemon is the multicraft.conf file
  • Two databases:
    • Daemon Database, shared between all daemons as well as the panel (daemon information, server information, players, commands, etc)
    • Panel database, only used by the panel (user information, server metadata)

Access information

Using own installation

  • Download package
    • http://www.multicraft.org/download/index?arch=linux64
  • Install using the installation instructions:
    • http://multicraft.org/site/page?view=install
    • http://www.youtube.com/watch?v=2qCZck_QmgU
  • Try obtaining admin/root/database/cross server access

Using sample installation

  • Visit http://78.46.123.96/multicraft/index.php
  • Log in using: testuser / testpassword123
  • Try obtaining admin/root/database/cross server access

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.