PHPUnit is a fantastic piece of software—for testing . But its presence on a public-facing server represents a catastrophic failure of deployment hygiene. The code inside eval-stdin.php is arguably the most dangerous 79 characters in modern PHP history, because it gives an attacker exactly what they want: a direct pipeline from HTTP to eval() .
curl -X POST https://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \ -d "<?php system('id'); ?>"
A critical flaw in PHPUnit, tracked as CVE-2017-9841, allows remote attackers to execute arbitrary PHP code on vulnerable servers. This security gap stems from an optional development script that was inadvertently exposed to the public web.
:
server listen 80; server_name example.com; root /var/www/my-app/public; # NOT /var/www/my-app index index.php; ... Use code with caution. 3. Block Access to vendor
If you manage PHP applications, it is highly recommended to scan your web directories for the existence of this file and ensure vendor access is blocked at the web server level.
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. vendor phpunit phpunit src util php eval-stdin.php exploit
: The attacker scans thousands of domains looking for the specific path: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php .
<?php system('id'); ?>
PHPUnit is a unit testing framework for PHP that allows developers to write and run tests for their code. It is a crucial tool for ensuring that individual units of code, such as functions and methods, behave as expected. PHPUnit provides a rich set of features for writing and running tests, including support for test fixtures, test suites, and test runners. PHPUnit is a fantastic piece of software—for testing
Attackers fuzz target domains with variants of the structural URL:
wrapper reads raw data from the body of an HTTP request. An attacker can send an HTTP POST request to the file's URI containing malicious PHP code (beginning with ) in the request body.
(and the entire PHPUnit development dependency from production): curl -X POST https://target
This script was designed to facilitate internal testing processes.However, it lacks any form of authentication or access control.If the vendor directory is publicly accessible via the web server, anyone can send an HTTP request to this file and execute code. Vulnerable Versions