Add vpatch-CVE-2025-28367 rule and test

[crowdsec-automation]

This rule detects directory traversal attempts targeting the mojoPortal BetterImageGallery API Controller's imagehandler action, as described in CVE-2025-28367. The detection logic is as follows:

• The first condition matches requests to the vulnerable endpoint by checking if the URI contains /api/betterimagegallery/imagehandler, using both lowercase and urldecode transforms to ensure case insensitivity and proper decoding of encoded characters.
• The second condition inspects the path argument in the query string for the presence of the directory traversal pattern ../, again applying lowercase and urldecode transforms for normalization.
• This approach ensures that only requests attempting to exploit the traversal via the path parameter on the correct endpoint are flagged, minimizing false positives.
• The rule is labeled as an LFI (Local File Inclusion) for MojoPortal, and the classification includes the CVE, MITRE ATT&CK technique for file and directory discovery (T1006), and the relevant CWE (CWE-284: Improper Access Control).

Validation checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase and urldecode.
• No match.value contains capital letters.
• The rule uses contains instead of regex where applicable.

Exploit URL: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-28367.yaml