Joomla OzioGallery2 Arbitrary File Write

2010-01-04T00:00:00
ID PACKETSTORM:84716
Type packetstorm
Reporter Ubik
Modified 2010-01-04T00:00:00

Description

                                        
                                            `# Exploit Title: Joomla component com_oziogallery2 / IMAGIN arbitrary file write  
# Date: 01-01-10  
# Author: Ubik and er  
# Software Link: oziogallery.joomla.it / imagin.ro  
# Version: all  
# Disclaimer : all the information in this document is provided "as is", for educational purposes only. The authors will not be responsible for any damage.  
  
technical information  
---------------------  
We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php:  
  
*************************  
$file = "../../".$_POST["path"];  
  
$fh = fopen ($file, 'w') or die("error::Can't open file for writing");  
echo fwrite ($fh, stripslashes($_POST["raw_data"]));  
  
fclose($fh);  
*************************  
  
An attack can be easily performed by manipulating the parameters (path and raw_data).  
Probably other php files in scripts_ralcr are coded without any care about security.  
In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.  
  
`