Michael Michael - 4 months ago 10
PHP Question

Exploiting fopen when input has extension appended

For science.

Say I have the following code:

<?php
$filename = $_GET['filename'] . '.csv';
$handle = @fopen($filename);


We know that the null byte exploit is long gone, but is it possible to get around the above appending of .csv, in order to read a file with another extension? Very creative souls exist.

Reading remote files works, filename=http://example.com/some.csv (.csv is appended automatically).

Answer

If you query for http://example.com/some.pdf?csv, fopen will try to gather the pdf file...

Rather use regex to validate $_GET (you should always validate your input):

/(\.csv)$/g will help you validate whether the extension is .csv