Nitrado claims to be the worldwide leading service provider in the game server hosting business. It also offers domain and website hosting services.
In the following post I would like to talk about domain and website hosting services. The positive image of Nitrado in the game server sector is unfortunately not present in the website hosting. Furthermore, it is absolutely insufficient.
But now let’s start from the beginning. I will focus the subject of security in terms of web hosting, email and background architecture.
All of the issues described below have not been resolved as of the publication of this article and were rechecked shortly before publication.
A significant part of all website hosting components is severely outdated. Among them, the version of phpMyAdmin that is vulnerable to known exploits and officially unsupported PHP versions. Also on the production systems running the instances for phpMyAdmin are far from up to date.
Like a large part of all runtime environments, PHP is released in different versions that have a certain lifetime before they are no longer officially supported. The following image shows the release lifecycle of the latest PHP versions.
The versions highlighted in red indicate versions that are EOL (end of life), those highlighted in yellow indicate versions for which only critical security patches are created, and those highlighted in green indicate active support. Older versions are listed at Unsupported Branches on the official website of PHP. For example, it can be verified that the PHP 5.3 branch has been expired since 14 Aug 2014, which is 6 years and 11 months ago. But Nitrado offers this version! To make matters worse, there are no versions with active support available as seen in the image below!
Already on 03/02/2021 a corresponding ticket was opened at Nitrado that pointed out the outdated PHP versions. Except for the repeated answer that no current information is available and patience must be requested, nothing happened.
In the following we will discuss phpMyAdmin hosted by Nitrado, this unfortunately shows even more outdated software and more significant vulnerabilities.
The developers of phpMyAdmin describe the software as follows.
The screenshot shows several fatal problems. These will all be discussed in the following.
phpMyAdmin notifies with the upper red banner that a secret password for encryption must be set in the configuration file. This is described in the official documentation. The password is used to improve the security of the cookie generation process. However, Nitrado does not have set this password.
It gets more exciting when looking at the environment phpMyAdmin is running on. The following is a comparison of the versions used by Nitrado and the current product versions. The corresponding release dates are given in square brackets below the respective versions.
|Version used by Nitrado|
|Latest product version|
|MySQL server version||5.5.60|
[19 Apr 2018]
[11 May 2021]
|Apache webserver version||2.2.22|
[31 Jan 2012]
[1 Jun 2021]
[8 Dec 2016]
[1 Jul 2021]
[22 Aug 2018]
[4 Jun 2021]
As you can easily see, a web server released 9 years ago can no longer be secure. Accordingly, there are also many vulnerabilities. If we take a look at www.cvedetails.com, we can already see 13 vulnerabilities for this version. Three of them have a CVSS (Common Vulnerability Scoring System) of 7.5!
The vulnerability describes the possibility to read local files of the web server by phpMyAdmin. The development team of phpMyAdmin describes the vulnerability on their security website as follows.
The MITRE Corporation has also officially assigned a CVE (Common Vulnerabilities and Exposures) to this vulnerability. It can be found as CVE-2018-19968. Based on the phpMyAdmin version found at Nitrado, it is strongly suspected that the exploit can be executed within a few minutes without any further problems.
Apart from this vulnerability, there are several other vulnerabilities listed on the official phpMyAdmin website. These are fixed in newer versions and should thus be installed as soon as possible.
The security of email sending and receiving is also severely compromised. For example, only outdated protocols are available, which are no longer supported by email clients by default.
The following original answer in german is part of a ticket from 05/12/2021. The English translation is shown in the quote that follows.
The english translation below.
Due to all these unresolved open vulnerabilities, I personally decided to leave Nitrado in terms of web hosting. I started to set up my own mail server and move it one by one. After the entire configuration was completed and the mail server was working, Nitrado, for its part, changed all DNS entries without permission, without warning, so that the configuration was absolutely useless.
The only answer to a ticket opened for this purpose was that there were corresponding notes in Nitrado’s web interface. Unfortunately, no other notifications were sent in the form of email.
The english translation below.
All the issues raised here have been reported by me to Nitrado at least once before.
Hopefully, all vulnerabilities will be closed as soon as possible.