Step 1 of 2
Please select a membership then provide your email and desired password for your account.
PHPUnit versions before 4.8.28 and 5.x before 5.6.3 utilized eval-stdin.php in a way that allowed remote HTTP POST requests to feed malicious payloads directly into the PHP eval() function.
The path /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php is not a helpful development artifact. Its presence in a web-accessible directory is a critical security flaw that leads directly to a full system compromise. The vulnerability is widely known, trivial to exploit, and is actively used by malware and botnets.
curl -X POST -d "<?php echo 'test'; ?>" http://yoursite.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
. Here is a short story based on the real-world security exploit it represents. The Open Backdoor The server logs were screaming, but no one was listening. Deep within the
If the page loads a blank screen (status 200) or throws a 500 error instead of a 404 (Not Found) or 403 (Forbidden), the file exists and is accessible.
Ensure you are on version , 5.6.3+ , or any version 7.x/8.x/9.x . 2. Move the Vendor Folder vulhub/phpunit/CVE-2017-9841/README.md at master - GitHub
This file contains a very small but powerful script:
This file has a known and important security history.
If the server returns the MD5 hash signature, the hacker knows they can pivot to an advanced payload to install a web shell, extract database credentials from environmental .env files, or deploy ransomware. vulhub/phpunit/CVE-2017-9841/README.md at master - GitHub
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: www.victim-site.com Content-Type: application/x-www-form-urlencoded
Ensure the autoindex directive is turned off inside your location blocks: autoindex off; Use code with caution. 4. Block Access to the Vendor Directory
If an Nginx or Apache server has:
: This relies on an enabled Options +Indexes setting in Apache or a misconfiguration in Nginx. It signals that a web server is displaying an open directory listing rather than rendering a default landing page (like index.php ).