Add vpatch-CVE-2025-28367 rule and test

[crowdsec-automation]

This rule detects directory traversal attempts targeting the mojoPortal BetterImageGallery API Controller's imagehandler action, as described in CVE-2025-28367. The detection logic is as follows:

• The first condition matches requests to the vulnerable endpoint by checking if the URI contains /api/betterimagegallery/imagehandler, using both lowercase and urldecode transforms to ensure case-insensitive and encoded path matching.
• The second condition inspects the path argument in the query string for the presence of the directory traversal pattern ../, again applying lowercase and urldecode transforms to catch encoded or case-variant attempts.
• This approach minimizes false positives by focusing only on the relevant endpoint and parameter, and by looking for the traversal meta-characters rather than specific file names.
• The labels section includes the correct CVE, ATT&CK, and CWE references, and the rule is classified as an LFI (Local File Inclusion) exploit.

Validation checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase and urldecode.
• No match.value contains capital letters.
• The rule uses contains for pattern matching as appropriate.

Exploit URL: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-28367.yaml