Raging Mortals BETA

[ILYAS415]

Hi guys i need beta testers for this game. Tok me quite a while to make and its still not finished. Thanks.

http://www.ragingmortals.com

http://www.ragingmortals.co.uk

[LiamProductions]

I like the javascript to open the login panel but.. I can't seem to register.

[LiamProductions]

Don't you think this is a bit stupid

 

"You fought Azeem!...

demo attacked with nuclear bomb!

Azeem defended with paper bag!

Demo attacked Azeem again..."

 

 

PAper bag to defend a nuclear bomb?

[ILYAS415]

No actually it isnt really stupid because its that persons fault for not being prepared. The demo is user is actually currently using the best weapon in the game! lol

O yh and btw i used php for the login thing on the front page

 

Register link here:-

If you havnt already, then please Register.
Lost your password? Get it back! Click here

[agentsteal]

Array:

http://www.ragingmortals.com/postoffice.php?fromper[]

 

Array:

http://www.ragingmortals.com/postoffice.php?ini[]

 

Cross Site Scripting:

http://www.ragingmortals.com/cgi-sys/scgiwrap/<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.ragingmortals.com/postoffice.php?ini=</textarea><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting in the forum if you post a topic that contains code.

 

Full Path Disclosure:

http://www.ragingmortals.com/cgi-sys/scgiwrap/

 

Full Path Disclosure:

http://www.ragingmortals.com/includes/functions_tst.php

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 9

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 52

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 153

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 188

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 201

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 210

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 219

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 237

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 244

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/ragingmo/public_html/includes/functions_tst.php on line 251

 

Full Path Disclosure:

There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value.

Warning: session_start() [function.session-start]: The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/ragingmo/public_html/register.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/ragingmo/public_html/register.php:2) in /home/ragingmo/public_html/register.php on line 2

 

Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0

 

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

 

Includes Directory:

http://www.ragingmortals.com/includes/

 

PHP Source Code Disclosure:

There is PHP Source Code Disclosure on the 404 page.

<?php if ($SESSION['username']){
echo "Or you cant return to the <a href=index2.php>game!"; } ?>

 

User Enumeration:

http://www.ragingmortals.com/~ragingmo

 

User Enumeration:

http://www.ragingmortals.com/~root

[LiamProductions]

When i was talking about not being able to register that was on IE i downloaded FireFox today and its perfect on that.

[LiamProductions]

Why have you put all the message in a file?

 

I found this i just registered:

Liam has been resetted!

[ILYAS415]

The 404 page reveals some php code in the source:

<?php if ($SESSION['username']){
echo "Or you cant return to the <a href=index2.php>game!"; } ?>

 

There is Cross Site Scripting in the forum if you put code in a post.

 

Also there is Full Path Disclosure if PHPSESSID in the cookie is invalid:

 

Warning: session_start() [function.session-start]: The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/ragingmo/public_html/register.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/ragingmo/public_html/register.php:2) in /home/ragingmo/public_html/register.php on line 2

 

Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0

 

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

 

how do i prevent cross-site scripting? also how do i prevent people or change error pages when ppl hav an invalid session id?

 

Also should i use .htaccess to block the includes directory or pass protect it?

 

Also Liam i dont fully understand wat ur saying

[josh48202]

when you go to the market it doesnt show a tip. you have to highlight it to get it to show n then it doesnt say ne thing.

[ILYAS415]

lol the random tip thing hasnt been done yet + the font color was set to white b4 the layout changed

[ILYAS415]

and how do i fix this