(2019/8/6)Reporting Critical CVE in Popular eLearning Platform that Leads to Server Compromise without Authentication

Our Red Team has reported CVE-2019-11062, pointing out that a popular eLearning platform has a critical risk of OS Command Injection. The risk is categorized in OWASP TOP 10 2017 A1-Injection. Due to the wide range of affect, it is assigned with risks scores “9.8 Critical” from CVSS v3.0.

CVE-2019-11062：The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via “basePath” parameter in "/teach/course/doajaxfileupload.php". The victim server can be exploited without authentication. Once the attack succeeds, the attacker can compromise the victim server with full control. The attacker can then upload a webshell or access the credentials of server and database admins.

The vendor has released the security patch. If your organization or enterprise is using this eLearning platform, it is recommended to contact the vendor for patching ASAP.

CHT Security has the following recommendation for protection:

1. Disable the path of “/teach/course/doajaxfileupload.php” to make it inaccessible.

2. Enable your WAF to check the “basePath” parameter against any plaintext or encoded OS command strings.

3. Check and delete if any unexpected file is uploaded.

4. Check and disconnect if a connection to “/teach/course/doajaxfileupload.php” is not authenticated.

5. Ensure permission checking for access to any function in software implementation. Deny the access without proper privilege.

6. In recent years, the numbers and variations of malware are increasing, and the hacking techniques are changing with every minute. Enterprises can reduce the cybersecurity risks with systematic security testing by experienced security experts. It is recommended that enterprises should regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to ensure the effectiveness of enterprise cybersecurity.