CVE-2019-15748
📋 TL;DR
CVE-2019-15748 allows unauthenticated attackers to upload malicious SCORM packages containing PHP files to SITOS six Build v6.2.1, leading to remote code execution. This affects any organization using the vulnerable version of this learning management system. The vulnerability bypasses authentication entirely, making it particularly dangerous.
💻 Affected Systems
- SITOS six Build
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise: attacker gains full control of the web server, can steal data, deploy ransomware, or pivot to internal networks.
Likely Case
Webshell deployment leading to data exfiltration, credential theft, and persistence on the compromised system.
If Mitigated
Attack blocked at network perimeter or detected during file upload attempts, with minimal to no impact.
🎯 Exploit Status
Exploit requires creating a malicious SCORM package with embedded PHP file, which is trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.2.2 or later
Vendor Advisory: https://www.contextis.com/en/resources/advisories/cve-2019-15748
Restart Required: No
Instructions:
1. Backup current installation and data. 2. Download and install SITOS six Build v6.2.2 or later from official vendor. 3. Verify authentication is now required for SCORM package upload/import functionality.
🔧 Temporary Workarounds
Block Direct Access to Vulnerable Pages
allUse web server configuration to block unauthenticated access to SCORM upload/import pages
# Apache: Add to .htaccess or virtual host config
<LocationMatch "/(scorm|upload|import)">
Require valid-user
</LocationMatch>
# Nginx: Add to server block
location ~ ^/(scorm|upload|import) {
auth_basic "Restricted";
auth_basic_user_file /path/to/.htpasswd;
}
File Upload Restriction
allConfigure web application firewall or server to block upload of files with .php extension
# Apache mod_security rule
SecRule FILES_TMPNAMES "@rx \.php$" "id:1001,phase:2,deny,msg:'Block PHP upload'"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SITOS six from critical systems
- Deploy web application firewall with rules to detect and block SCORM package upload attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access /scorm/upload or similar SCORM-related upload pages without authentication. If accessible, system is vulnerable.Check Version:
Check SITOS six Build version in admin panel or configuration filesVerify Fix Applied:
Verify authentication is required for all SCORM upload/import functionality and check version is v6.2.2 or later.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to SCORM upload endpoints
- File uploads with .php extension in SCORM packages
- Unusual file creation in web-accessible directories
Network Indicators:
- HTTP POST requests to /scorm/upload without authentication headers
- Upload of compressed files (SCORM packages) followed by PHP file execution
SIEM Query:
source="web_server" AND (uri_path="/scorm/upload" OR uri_path="/scorm/import") AND http_method="POST" AND NOT (http_user_agent="*bot*" OR http_user_agent="*crawler*")