Joomla OzioGallery2 Arbitrary File Write

Type packetstorm
Reporter Ubik
Modified 2010-01-04T00:00:00


                                            `# Exploit Title: Joomla component com_oziogallery2 / IMAGIN arbitrary file write  
# Date: 01-01-10  
# Author: Ubik and er  
# Software Link: /  
# Version: all  
# Disclaimer : all the information in this document is provided "as is", for educational purposes only. The authors will not be responsible for any damage.  
technical information  
We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php:  
$file = "../../".$_POST["path"];  
$fh = fopen ($file, 'w') or die("error::Can't open file for writing");  
echo fwrite ($fh, stripslashes($_POST["raw_data"]));  
An attack can be easily performed by manipulating the parameters (path and raw_data).  
Probably other php files in scripts_ralcr are coded without any care about security.  
In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.