Joomla RWCards Component "img" File Disclosure

SECUNIA ADVISORY ID:
SA32367

VERIFY ADVISORY:
http://secunia.com/advisories/32367/

CRITICAL:
Moderately critical

IMPACT:
Exposure of system information, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
RWCards 3.x (component for Joomla)
http://secunia.com/advisories/product/20228/

DESCRIPTION:
Vrs-hCk has discovered a vulnerability in the RWCards component for
Joomla!, which can be exploited by malicious people to disclose
sensitive information.

Input passed to the "img" parameter in captcha/captcha_image.php is
not properly sanitised before being used. This can be exploited to
display arbitrary files via directory traversal attacks and
URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

The vulnerability is confirmed in version 3.0.11. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Vrs-hCk

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/6817