Joomla component com_oziogallery2 / IMAGIN arbitrary file write

vendor:

com_oziogallery2 / IMAGIN

by:

Ubik and er

7,5

CVSS

HIGH

Arbitrary File Write

264

CWE

Product Name: com_oziogallery2 / IMAGIN

Affected Version From: all

Affected Version To: all

Patch Exists: YES

Related CWE: N/A

CPE: oziogallery.joomla.it / imagin.ro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla component com_oziogallery2 / IMAGIN arbitrary file write

We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php: An attack can be easily performed by manipulating the parameters (path and raw_data). Probably other php files in scripts_ralcr are coded without any care about security. In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in file operations.

Source

Exploit-DB raw data:

# Exploit Title: Joomla component com_oziogallery2 / IMAGIN arbitrary file write
# Date: 01-01-10
# Author: Ubik and er
# Software Link: oziogallery.joomla.it / imagin.ro
# Version: all
# Disclaimer : all the information in this document is provided "as is", for educational purposes only. The authors will not be responsible for any damage.

technical information
---------------------
We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php:

*************************
$file = "../../".$_POST["path"];

$fh = fopen ($file, 'w') or die("error::Can't open file for writing");
echo fwrite ($fh, stripslashes($_POST["raw_data"]));

fclose($fh);
*************************

An attack can be easily performed by manipulating the parameters (path and raw_data).
Probably other php files in scripts_ralcr are coded without any care about security.
In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.