← All case studies
E-commerce

File Upload Bypass Leading to Remote Code Execution

SeverityCRITICAL
IndustryE-commerce
FindingMIME type check bypassed — malicious PHP webshell uploaded and executed on production server
MethodManual + automated penetration testing
OutcomeFull remote code execution on production server. Database credentials, customer data, and payment processor keys accessible. Ability to install persistent backdoor or ransomware. The finding was disclosed immediately on discovery — no data was accessed, no persistence established. Server hardened within 6 hours.
The finding
MIME type check bypassed — malicious PHP webshell uploaded and executed on production server

Technical detail

An e-commerce platform allowed users to upload product images. The application validated file type by checking the MIME type in the Content-Type header — a client-controlled value. By modifying the Content-Type to image/jpeg while uploading a PHP file, ThreatRiX uploaded a webshell to the production web root.

The uploaded file was accessible at a predictable path, and executing it via browser gave full remote code execution on the server — including file system access, database credentials in environment variables, and the ability to install persistent backdoors.

Business impact & resolution
Full remote code execution on production server. Database credentials, customer data, and payment processor keys accessible. Ability to install persistent backdoor or ransomware. The finding was disclosed immediately on discovery — no data was accessed, no persistence established. Server hardened within 6 hours.

Remediation

File type validation moved server-side: magic byte validation using PHP fileinfo extension, whitelist of allowed extensions enforced independently of MIME type, uploaded files renamed with random UUIDs and stored outside web root. File execution disabled in upload directory via Apache/Nginx configuration. ThreatRiX retested all three controls and confirmed remediation.

Could this happen to your application?

Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.