Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Multicraft logo
Hall of Fame


25 $ 


We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Multicraft. Every day new security issues and attack vectors are created. Multicraft strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.


In scope

Target name | Type
Multicraft 2.1.0 - Linux 64bit (primary target) - see Access Information below | Other
Sample installation @ | Other


Multicraft 2.1.0 was recently released.
Areas to focus

  • Docker container feature
  • Editable user roles
  • Two Factor authentication
  • Subdomain feature

Staff Login for Test Installation

  • Username: teststaff
  • Password: teststaffpassword123

In scope (ordered by priority)

  • Obtaining "root" access to the system as a normal user
  • Obtaining "admin" access to the panel as a normal user
  • Obtaining access to the panel or the daemon database as a normal user
  • Obtaining edit access to a server other than the one owned by the user
  • Running actions outside of the privilege of the current user (CSRF/XSS for example)

Out of scope

  • Issues arising from faulty/suboptimal configuration (this includes not using encrypted connections or having CSRF validation disabled in the settings)
  • Accessing files outside of the server directory as the server user
  • Access gained through external software
  • Bruteforce attacks
  • Bugs, such as XSS, that only affect legacy software or require exceedingly unlikely user interaction
  • Disclosure information that is public or does not present significant risk
  • Vulnerabilities that we determine to be an acceptable risk

Additional Information

When using own installation

  • Use free license (or any license you own)
  • Use latest 2.1.0, Linux 64bit version only
  • Use up to date Linux system
  • Secure installation according to security guide:

When using sample installation

  • Login is shared between users, please don't change the login information
  • Installation is reset every 12 hours
  • If installation is broken somehow, please contact

Quick architecture overview

  • Front end panel written in PHP using Yii 1 framework
  • Back end daemon written in in Python 2.7
  • Communication using custom protocol over TCP
  • Communication secured using a "daemon password"
  • Main configuration file of panel is in protected/config/config.php
  • Main config of daemon is the multicraft.conf file
  • Two databases:
    • Daemon Database, shared between all daemons as well as the panel (daemon information, server information, players, commands, etc)
    • Panel database, only used by the panel (user information, server metadata)

Access information

Using own installation

  • Download package
  • Install using the installation instructions:
  • Try obtaining admin/root/database/cross server access

Using sample installation

  • Visit
  • Log in using: testuser / testpassword123
  • Try obtaining admin/root/database/cross server access

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

FireBounty © 2015-2019

Legal notices