# Exploit Title: Joomla component com_oziogallery2 / IMAGIN arbitrary file write
# Date: 01-01-10
# Author: Ubik and er
# Software Link: oziogallery.joomla.it / imagin.ro
# Version: all
# Disclaimer : all the information in this document is provided "as is", for educational purposes only. The authors will not be responsible for any damage.
 
technical information
---------------------
We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php:
 
*************************
$file = "../../".$_POST["path"];
 
$fh = fopen ($file, 'w') or die("error::Can't open file for writing");
echo fwrite ($fh, stripslashes($_POST["raw_data"]));
 
fclose($fh);
*************************
 
An attack can be easily performed by manipulating the parameters (path and raw_data).
Probably other php files in scripts_ralcr are coded without any care about security.
In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.