Research: Joomla File Write Gadget Chain

As part of my research into Gadget Chains and PHP Object Injection, I discovered a File Write Gadget Chain in Joomla.

I submitted a PR for this to the excellent PHPGGC project - it will hopefully be Joomla/FW1:

https://github.com/ambionics/phpggc/pull/202 (not yet merged)

I reported this to the Joomla Security Team (before submitting the PR), and they responded quickly.

Unlike some projects I've reported Gadget Chains to, they were grateful for the report and put a fix in place fast:

https://github.com/joomla/joomla-cms/pull/44428

The fix was included in Joomla 5.2.2 which was released about 4 weeks after I'd sent the report.

It was a pleasure working with the Joomla Team :)