Joomla! Component com_oziogallery2 / IMAGIN - Arbitrary File Write

EDB-ID:

10979

CVE:



Platform:

PHP

Published:

2010-01-03

# Exploit Title: Joomla component com_oziogallery2 / IMAGIN arbitrary file write
# Date: 01-01-10
# Author: Ubik and er
# Software Link: oziogallery.joomla.it / imagin.ro
# Version: all
# Disclaimer : all the information in this document is provided "as is", for educational purposes only. The authors will not be responsible for any damage.

technical information
---------------------
We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php:

*************************
$file = "../../".$_POST["path"];

$fh = fopen ($file, 'w') or die("error::Can't open file for writing");
echo fwrite ($fh, stripslashes($_POST["raw_data"]));

fclose($fh);
*************************

An attack can be easily performed by manipulating the parameters (path and raw_data).
Probably other php files in scripts_ralcr are coded without any care about security.
In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.