Closed cherrykoda closed 4 years ago
cherrykoda
commented
4 years ago I've updated to latest seoMatic, but the calculation still being performed via url query on the latest version and is causing concern. I've been given 24 hours to provide progress or shutdown the SEO tool on the impacted site.
Is it possible the fix from 3.2.46 was accidentally undone?
khalwat
commented
4 years ago yes, this is a regression from the fix in 3.2.46 -- you can pull from dev-develop to get the build with a fix.
The release version is coming very soon.
khalwat
commented
4 years ago Release is out -> https://github.com/nystudio107/craft-seomatic/releases/tag/3.3.0
cherrykoda
commented
4 years ago Thank you!!
Note: I was sent the following by a client's security team, so I'll do my best to answer any questions regarding it.
I believe I found an issue on your main site (www.domain.com). CVE for it: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757
Description The mentioned site uses CraftCMS and SEOmatic plugin. SEOmatic has the SSTI issue which leads to RCE (Remote code execution).
The vulnerable url is: https://domain.com/actions/seomatic/meta-container/meta-link-container/?uri={{4*4}}
Basically in the response it will return 16, this means the server did the calculation.
CraftCMS also has this method: craft.app.view.evaluateDynamicContent which lets you evaluate PHP code.
Examples :
{{craft.app.view.evaluateDynamicContent('phpinfo();')}}Similar way you can use file_put_contents() and file_get_contents() to upload a PHP shell.
Discovery date: 27.04.2020.
Impact: Execute command on the server
Proposed fix: Disable SEOmatic or update to latest available release.
Craft Version: 3.4.17.1 (latest) SEOMatic Version: 3.2.51 (latest) PHP Version: 7.3.15