SSTI Vulnerability #614
Comments
|
I've updated to latest seoMatic, but the calculation still being performed via url query on the latest version and is causing concern. I've been given 24 hours to provide progress or shutdown the SEO tool on the impacted site. Is it possible the fix from 3.2.46 was accidentally undone? |
|
yes, this is a regression from the fix in 3.2.46 -- you can pull from The release version is coming very soon. |
|
Release is out -> https://github.com/nystudio107/craft-seomatic/releases/tag/3.3.0 |
|
Thank you!! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: I was sent the following by a client's security team, so I'll do my best to answer any questions regarding it.
I believe I found an issue on your main site (www.domain.com).
CVE for it: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757
Description
The mentioned site uses CraftCMS and SEOmatic plugin. SEOmatic has the SSTI issue which leads to RCE (Remote code execution).
The vulnerable url is:
https://domain.com/actions/seomatic/meta-container/meta-link-container/?uri={{4*4}}
Basically in the response it will return 16, this means the server did the calculation.
CraftCMS also has this method:
craft.app.view.evaluateDynamicContent which lets you evaluate PHP code.
Examples :
{{craft.app.view.evaluateDynamicContent('phpinfo();')}}Similar way you can use file_put_contents() and file_get_contents() to upload a PHP shell.
Discovery date: 27.04.2020.
Impact: Execute command on the server
Proposed fix: Disable SEOmatic or update to latest available release.
Craft Version: 3.4.17.1 (latest)
SEOMatic Version: 3.2.51 (latest)
PHP Version: 7.3.15
The text was updated successfully, but these errors were encountered: