Critical SEOmatic SSTI Vulnerability Post-Mortem

Hosted by Matt Stein, on this episode we talk to Andrew Welch from nystudio107, Nevin Lyne from Arcus Tech, and Brad Bell from Pixel & Tonic.

The discussion centers around a recent critical Server Site Template Injection (SSTI) & Remote Code Execution (RCE) exploit in the SEOmatic plugin for Craft CMS.

We discuss a timeline of what transpired, and walk through the discovery process as in the wild exploits were found.

We also talk about whether you should be concerned, and update to the patched SEOmatic 3.3.0 or later (spoiler: you should, and you should).

We also go into steps that Pixel & Tonic, plugin developers, and frontend developers producing sites can take to

• SEOmatic plugin
• CVE 2020-12790
• SEOmatic Exploit removal
• evaluateDynamicContent()
• Deprecating evaluateDynamicContent() PR
• Yii2 Security Best Practices
• What are the best PHP input sanitizing functions?
• SEOmatic 3.3.9 release w/automated SSTI Unit Test
• SSTI Unit Test & Scrutinizer-CI on push code diff
• OWASP Zed Attack Proxy (ZAP)
• How to sandbox Twig
• Deface SSTI ( Server-Side Template Injection ) + RCE ( Remote Code Execution )
• Craft CMS (SEOmatic Plugin) - SSTI (Server Side Template Injection) to RCE
• Server Side Template Injection (SSTI) TO RCE

Episode source