Exploiting fopen when input has extension appended

Question

For science.

Say I have the following code:

<?php
$filename = $_GET['filename'] . '.csv';
$handle = @fopen($filename);

We know that the null byte exploit is long gone, but is it possible to get around the above appending of .csv, in order to read a file with another extension? Very creative souls exist.

Reading remote files works, filename=http://example.com/some.csv (.csv is appended automatically).

Exploit in what manner? And what do you do with that file / handle? — Eiko, Aug 05 '16 at 10:21
Ah, I should've added that. The handler reading the file as a CSV, but this process might spit out information even if a file is not an actual CSV (comma or semicolon). — Benny Mose, Aug 05 '16 at 11:07

score 1 · Accepted Answer · answered Aug 05 '16 at 10:59

1

If you query for http://example.com/some.pdf?csv, fopen will try to gather the pdf file...

Rather use regex to validate $_GET (you should always validate your input):

/(\.csv)$/g will help you validate whether the extension is .csv

answered Aug 05 '16 at 10:59

Kevin Kopf

13,327
14
49
66

Exploiting fopen when input has extension appended

1 Answers1