Craft CMS SEOmatic exploit info

Last updated: 2020-07-15

About the exploit

The Craft CMS plugin SEOmatic by Andrew Welch helps web developers and website owners to implement modern SEO best practices — see the plugin website and the plugin on the Craft CMS store. The plugin is commercial ($99) and popular among the Craft community.

In April 2020 a security issue for the version 3.2.46 of the plugin was posted GitHub and fixed a day later with version 3.3.0 for the plugin. But a regression was introduced later on, so the issue remained for another while.

The issue got the Common Vulnerability Exposure ID CVE-2020-12790. It uses Server Side Template Injection (SSTI). So in other words, any code can easily be executed on your website.

Here is a demonstration of exploiting the vulnerability:

Identify if your installation is vulnerable

Here is how you can check if your Craft CMS website might be affected:

1. Browser check

  https://domain.com/actions/seomatic/meta-container/meta-link-container/?uri={{4*4}}

Call the above URL. Replace domain.com with your own domain. Your website is affected if you get a json response that contains meta-link-container?uri=16.

2. Version check

You should also check for the installed version of the plugin. You can do so in the Craft CMS control panel under Utilities > System Report. Or you can check your composer.json file for the installed version as well.

Check if your installation was actually hacked

In case your Craft CMS installation is affected by the issue, hackers might or might not have made use of it. See if your App has been compromised like so:

1. Login to your App by SSH or SFTP
2. Review htdocs/web folder for suspicious php files - index.php is expected, other files usually not.
3. Compare the htdocs/web/index.php with your local copy of index.php

We saw some hacked Craft CMS installations to be used for crypto currency mining. If in doubt, go ahead and contact your hosting provider (us).

# Some example files
# file names are completely arbitrary

%20mo.php
%20tempek.php
ad-center.php
aindex.php
ajax-index.php
class-wp-style.php
configindex.php
mo.php
peler.php
siteindex.php
tempek.php
wp-admin/.htaccess
wp-admin/d3d3LmR1bmRlcnZlcmsubm8=.txt
wp-admin/d3d3LmR1bmRlcnZlcmsubm8=a.txt
wp-admin/images/index.php
wp-admin/ZHVuZGVydmVyay5mcmIuaW8=.txt
wp-blog.php
wp-load.php

./web/cpresources/b9382711/yii2/helpers/Inflector.php
./web/cpresources/b9382711/yii2/Yii.php
./web/dist/404.php
./web/dist/dashicons.php
./web/uploads/zr.php
./web/uploads/watchdoge.php
./web/index-clean.php

./web/images/wp-log.php
./web/assets/originals/new_readme.php
./web/assets/formtest/wp-aespa.php

We have also seen index.php files to be affected.

Update Craft CMS

Update the SEOmatic Craft Plugin to the latest version. Best also update all other plugins and Craft as well. We advice to start with your local installation and then apply the updates by deploying. Please see our update Craft article on how to do that best.

Please mind that, even when your website is now updated and thus secured, it might have been target to attacks before. The update can not protect you form already existing hacks, it can only prevent hacks in the future. So even when you are up-to-date we recommend to check the files.

Change the database password

It's also a good idea to change your database password to make sure that no one has access to that any more. You can reset the MySQL password with our Dashboard, see our help instructions. When using our dynamic environment variables resetting the MySQL password will be seamless, no configuration change on code level required.

Remove malicious files

If your App was indeed hacked, remove the malicious files that have been created by the introducers. Those files are not part of your Git repo. For Universal Apps you need to login by SSH / SFTP and manually remove all the files.

(Wipe and redeploy)

You might also wipe everything and redeploy a fresh state from your local copy to make sure all the bad stuff is gone for good. Please consider: Universal Apps have an overwrite but not delete deployment strategy, so you will first need to delete all the files by SSH/SFTP upfront.

Make sure to keep your uploaded assets, but also make sure to check your asset volumes as well, since we have seen files in there as well. Pro Stack Apps have atomic deployment, so deploying code from local will wipe all files on the App.

Also make sure that your local copy of Craft is as up-to-date (version and content) as the production one on fortrabbit. We strongly recommend to keep the two environments in sync. Our Craft Copy tools helps.

You can also use a new App to deploy to. Create a (trial) App, add it as an additional remote, deploy code, assets and database (Craft Copy can help here as well), later move domain.

(Restore your App from a backup)

Another option is to restore your App from an existing backup, this applies when you lost your local version or it is outdated. We offer backups for some hosting plans. The backup retention period goes back to 14 days, so a clean state in there can not be guaranteed. Please see our backups article for more details. You can also use your local development environment as the backup base.

(Change passwords for the Control Panel)

To be on the save side, better also change all user passwords for accessing the Craft CMS Control Panel.

A word on responsibility and service level

Please mind that is not our service scope to monitor or patch the software of our clients. We don't know about the software you are using. We don't peek in your code without permission.

Therefore we can not clean or update your Apps. We will also not be able to re-install older versions of your App.

We are in this together. You, the responsible web developer and client. We as the hosting provider are doing our best to keep the infra running. You take care of the software you write and install. For more details, please see our support policy.

Don't hesitate to contact us: Start chat!

Action taken by fortrabbit

We have extended our blacklists to avoid malicious requests with new learnings from these cases. This is not fixing the underlying issue but will stop most attacks against this vulnerability.

We mailed all clients owning Craft CMS Apps that have SEOmatic installed.

We are also monitoring our systems for unusual usage patterns. Some hacks - like crypto mining - are abusing our platform (high CPU usage) and can be detected by us. We will proactively contact clients one by one in such cases.

We started to pro-actively remove certain affected files on some individual Apps and even also removing malicious parts in certain files, for example in index.php. This is a measure, we don't like to do, since we usually never directly interfere with client code. We did so for clients who have not reacted on our previous mailings on the subject.

We don't know everything on the matter. We can not guarantee that this guide is a definite fix. We are also still learning here. We will update this article with new learnings.

Further hearing

The latest devMode podcast show called "Critical SEOmatic SSTI Vulnerability Post-Mortem" discusses the issue in retrospect.