[CRUCIAL ALERTS]

[bitchgotraped]

Hey,
Well I currently work as an "IT Security" for this "Web Hosting Company".
So I was like let me test RGC and how well it's secured.
Sadly it isn't that's why I'm reporting the following alerts:

P.S Do not dare to PM me asking me "How Can I Work Out This Exploit"

1)PHP multipart/form-data denial of service

Any botnet can take out RGC servers completely.

How to fix this vulnerability
Workarounds:
1. Disable file uploads
If you don't need file uploading, you can disable this feature from php.ini
file_uploads = Off
2. Install PHP 5.3.1
If you cannot disable file uploading on your website, it's recommended to install the latest version of PHP. PHP 5.3.1 includes a patch for this problem:
- Added max_file_uploads INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
3. Install Suhosin PHP extension
The Suhosin PHP extension has an option named suhosin.upload.max_uploads. This option defines the maximum number of files that may be uploaded with one request and by default is set to 25. Suhosin PHP extension should not be confused with the Suhosin Patch which does not protect against this attack.

2) Apache 2.x version older than 2.2.10

cross-site scripting (XSS) attacks are easy on RGC

How to fix this vulnerability

Upgrade Apache 2.x to the latest version.

3)Possible sensitive directories

/stats/admin

How to fix this vulnerability

Restrict access to this directory or remove it from the website.

4)TRACE method is enabled

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACE Method on the web server.

5)Error page Web Server version disclosure

Information disclosure pattern found: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch Server at stats.rankedgaming.com Port 80

How to fix this vulnerability

If you are using Apache, you can setup a custom 404 page.

6) EXTREME DANGER "MySQL Enterprise Server v.5.0.52 Multiple"

Well a hacker can easy change stats, wins, ranks , score ...etc and even delete all the database. (ENOUGH SAID)

How to fix this vulnerability

Upgrade the MySQL Enterprise Server tot the latest version.

7) Port Scanning

Open Port 22 / ssh
Open Port 80 / http
Open Port 3306 / mysql


NOTE DOWN: This report isn't to abuse RGC but to fix it.
ANY pm to me from any user asking about the exploits will be considered as a threat, and I will report the user to Rogers for a perma IP BAN.
Thank You

[bitchgotraped]

Nice Useless post.

[marcvs]

Nice job dude.

Btw that top is spam bot or smtn

[bitchgotraped]

thanks mate. Someone at leasts appreciates it.

[UnlimiteD]

this is what the "Atacker" send to me :

"ninguem sabe onde ta erro

sao 112 vulnabilidade que tem para arrumar cada uma vai 4 a 5 dias"

translation:

"Nobody know where is the error

are 112 vulnerabilities, to fix each one will take 4 to 5 days"

he is BR, and he works in any company of world security of banks, game sites, and much more.
he have a big power, need hard work to get stop him.

[NeC.madchen]

this is what the "Atacker" send to me :

"ninguem sabe onde ta erro

sao 112 vulnabilidade que tem para arrumar cada uma vai 4 a 5 dias"

translation:

"Nobody know where is the error

are 112 vulnerabilities, to fix each one will take 4 to 5 days"

he is BR, and he works in any company of world security of banks, game sites, and much more.
he have a big power, need hard work to get stop him.

I hope it is not true!

[Ks.M.Coco]

I hope it is not true!

I hope too!
I will burn this guy.

[kaprinis24]

nice1