Last updated: 2020-07-15
About the exploit
The Craft CMS plugin SEOmatic by Andrew Welch helps web developers and website owners to implement modern SEO best practices — see the plugin website and the plugin on the Craft CMS store. The plugin is commercial ($99) and popular among the Craft community.
In April 2020 a security issue for the version 3.2.46 of the plugin was posted GitHub and fixed a day later with version 3.3.0 for the plugin. But a regression was introduced later on, so the issue remained for another while.
The issue got the Common Vulnerability Exposure ID CVE-2020-12790. It uses Server Side Template Injection (SSTI). So in other words, any code can easily be executed on your website.
Here is a demonstration of exploiting the vulnerability:
Identify if your installation is vulnerable
Here is how you can check if your Craft CMS website might be affected:
1. Browser check
Call the above URL. Replace
domain.com with your own domain. Your website is affected if you get a json response that contains
2. Version check
You should also check for the installed version of the plugin. You can do so in the Craft CMS control panel under Utilities > System Report. Or you can check your
composer.json file for the installed version as well.
Check if your installation was actually hacked
In case your Craft CMS installation is affected by the issue, hackers might or might not have made use of it. See if your App has been compromised like so:
- Login to your App by SSH or SFTP
htdocs/webfolder for suspicious
index.phpis expected, other files usually not.
- Compare the
htdocs/web/index.phpwith your local copy of
We saw some hacked Craft CMS installations to be used for crypto currency mining. If in doubt, go ahead and contact your hosting provider (us).
# Some example files # file names are completely arbitrary %20mo.php %20tempek.php ad-center.php aindex.php ajax-index.php class-wp-style.php configindex.php mo.php peler.php siteindex.php tempek.php wp-admin/.htaccess wp-admin/d3d3LmR1bmRlcnZlcmsubm8=.txt wp-admin/d3d3LmR1bmRlcnZlcmsubm8=a.txt wp-admin/images/index.php wp-admin/ZHVuZGVydmVyay5mcmIuaW8=.txt wp-blog.php wp-load.php ./web/cpresources/b9382711/yii2/helpers/Inflector.php ./web/cpresources/b9382711/yii2/Yii.php ./web/dist/404.php ./web/dist/dashicons.php ./web/uploads/zr.php ./web/uploads/watchdoge.php ./web/index-clean.php ./web/images/wp-log.php ./web/assets/originals/new_readme.php ./web/assets/formtest/wp-aespa.php
We have also seen
index.php files to be affected.
Update Craft CMS
Update the SEOmatic Craft Plugin to the latest version. Best also update all other plugins and Craft as well. We advice to start with your local installation and then apply the updates by deploying. Please see our update Craft article on how to do that best.
Please mind that, even when your website is now updated and thus secured, it might have been target to attacks before. The update can not protect you form already existing hacks, it can only prevent hacks in the future. So even when you are up-to-date we recommend to check the files.
Change the database password
It's also a good idea to change your database password to make sure that no one has access to that any more. You can reset the MySQL password with our Dashboard, see our help instructions. When using our dynamic environment variables resetting the MySQL password will be seamless, no configuration change on code level required.
Remove malicious files
If your App was indeed hacked, remove the malicious files that have been created by the introducers. Those files are not part of your Git repo. For Universal Apps you need to login by SSH / SFTP and manually remove all the files.
(Wipe and redeploy)
You might also wipe everything and redeploy a fresh state from your local copy to make sure all the bad stuff is gone for good. Please consider: Universal Apps have an overwrite but not delete deployment strategy, so you will first need to delete all the files by SSH/SFTP upfront.
Make sure to keep your uploaded assets, but also make sure to check your asset volumes as well, since we have seen files in there as well. Pro Stack Apps have atomic deployment, so deploying code from local will wipe all files on the App.
Also make sure that your local copy of Craft is as up-to-date (version and content) as the production one on fortrabbit. We strongly recommend to keep the two environments in sync. Our Craft Copy tools helps.
You can also use a new App to deploy to. Create a (trial) App, add it as an additional remote, deploy code, assets and database (Craft Copy can help here as well), later move domain.
(Restore your App from a backup)
Another option is to restore your App from an existing backup, this applies when you lost your local version or it is outdated. We offer backups for some hosting plans. The backup retention period goes back to 14 days, so a clean state in there can not be guaranteed. Please see our backups article for more details. You can also use your local development environment as the backup base.
(Change passwords for the Control Panel)
To be on the save side, better also change all user passwords for accessing the Craft CMS Control Panel.
A word on responsibility and service level
Please mind that is not our service scope to monitor or patch the software of our clients. We don't know about the software you are using. We don't peek in your code without permission.
Therefore we can not clean or update your Apps. We will also not be able to re-install older versions of your App.
We are in this together. You, the responsible web developer and client. We as the hosting provider are doing our best to keep the infra running. You take care of the software you write and install. For more details, please see our support policy.
Don't hesitate to contact us: Start chat!
Action taken by fortrabbit
We have extended our blacklists to avoid malicious requests with new learnings from these cases. This is not fixing the underlying issue but will stop most attacks against this vulnerability.
We mailed all clients owning Craft CMS Apps that have SEOmatic installed.
We are also monitoring our systems for unusual usage patterns. Some hacks - like crypto mining - are abusing our platform (high CPU usage) and can be detected by us. We will proactively contact clients one by one in such cases.
We started to pro-actively remove certain affected files on some individual Apps and even also removing malicious parts in certain files, for example in
index.php. This is a measure, we don't like to do, since we usually never directly interfere with client code. We did so for clients who have not reacted on our previous mailings on the subject.
We don't know everything on the matter. We can not guarantee that this guide is a definite fix. We are also still learning here. We will update this article with new learnings.
The latest devMode podcast show called "Critical SEOmatic SSTI Vulnerability Post-Mortem" discusses the issue in retrospect.