An e-commerce platform allowed users to upload product images. The application validated file type by checking the MIME type in the Content-Type header — a client-controlled value. By modifying the Content-Type to image/jpeg while uploading a PHP file, ThreatRiX uploaded a webshell to the production web root.
The uploaded file was accessible at a predictable path, and executing it via browser gave full remote code execution on the server — including file system access, database credentials in environment variables, and the ability to install persistent backdoors.
File type validation moved server-side: magic byte validation using PHP fileinfo extension, whitelist of allowed extensions enforced independently of MIME type, uploaded files renamed with random UUIDs and stored outside web root. File execution disabled in upload directory via Apache/Nginx configuration. ThreatRiX retested all three controls and confirmed remediation.
Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.