-
-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSTI Vulnerability #614
Comments
I've updated to latest seoMatic, but the calculation still being performed via url query on the latest version and is causing concern. I've been given 24 hours to provide progress or shutdown the SEO tool on the impacted site. Is it possible the fix from 3.2.46 was accidentally undone? |
yes, this is a regression from the fix in 3.2.46 -- you can pull from The release version is coming very soon. |
Release is out -> https://github.com/nystudio107/craft-seomatic/releases/tag/3.3.0 |
Thank you!! |
Note: I was sent the following by a client's security team, so I'll do my best to answer any questions regarding it.
I believe I found an issue on your main site (www.domain.com).
CVE for it: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757
Description
The mentioned site uses CraftCMS and SEOmatic plugin. SEOmatic has the SSTI issue which leads to RCE (Remote code execution).
The vulnerable url is:
https://domain.com/actions/seomatic/meta-container/meta-link-container/?uri={{4*4}}
Basically in the response it will return 16, this means the server did the calculation.
CraftCMS also has this method:
craft.app.view.evaluateDynamicContent which lets you evaluate PHP code.
Examples :
{{craft.app.view.evaluateDynamicContent('phpinfo();')}}
Similar way you can use file_put_contents() and file_get_contents() to upload a PHP shell.
Discovery date: 27.04.2020.
Impact: Execute command on the server
Proposed fix: Disable SEOmatic or update to latest available release.
Craft Version: 3.4.17.1 (latest)
SEOMatic Version: 3.2.51 (latest)
PHP Version: 7.3.15
The text was updated successfully, but these errors were encountered: