CVE-2019-15751
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to upload malicious files with executable extensions to SITOS six Build v6.2.1 web applications. Attackers can execute arbitrary PHP code and operating system commands on the server. Any organization running the vulnerable version of SITOS six Build is affected.
💻 Affected Systems
- SITOS six Build
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to internal networks, and maintain persistent access.
Likely Case
Web server compromise leading to data theft, defacement, or use as a foothold for further attacks within the network.
If Mitigated
Attack blocked at perimeter with proper file upload validation and web application firewall rules in place.
🎯 Exploit Status
Exploitation requires only web access and ability to craft malicious SCORM package with PHP extension.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.2.2 or later
Vendor Advisory: https://www.contextis.com/en/resources/advisories/cve-2019-15751
Restart Required: No
Instructions:
1. Download latest version from vendor. 2. Backup current installation. 3. Apply patch/upgrade. 4. Test functionality. 5. Remove any suspicious uploaded files.
🔧 Temporary Workarounds
File Upload Restriction
allImplement strict file extension validation for SCORM uploads to block executable extensions.
# In PHP configuration or application code
# Restrict allowed extensions to: zip, imscc, imsres, imscp, imsmanifest.xml
Web Server Configuration
allConfigure web server to not execute PHP files from upload directories.
# Apache .htaccess example
<FilesMatch "\.(php|php5|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx configuration example
location ~* \.php$ {
deny all;
}
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious file uploads
- Disable SCORM file upload functionality entirely if not required
🔍 How to Verify
Check if Vulnerable:
Check if running SITOS six Build v6.2.1 and test if SCORM files with .php extension can be uploaded.Check Version:
# Check application version in admin panel or configuration filesVerify Fix Applied:
Verify version is v6.2.2 or later and test that PHP files cannot be uploaded via SCORM functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to SCORM endpoints
- Files with .php extension in upload directories
- Web server executing PHP from upload directories
Network Indicators:
- POST requests to SCORM upload endpoints with unusual file types
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_server" AND (uri="*scorm*upload*" OR uri="*scorm*save*") AND (file_extension="php" OR file_extension="phtml")