If this file is on a web server (e.g., in a vendor/ directory under the webroot), an attacker can send arbitrary PHP code via POST/GET to eval-stdin.php and get it executed.
This vulnerability is officially tracked as [1, 2]. While the flaw was patched years ago, misconfigured web servers and outdated dependency folders continue to leave applications exposed online [1, 2]. How the Vulnerability Works
[Attacker POST Request] │ ▼ http://example.com │ ▼ [eval('?>' . file_get_contents('php://input'))] ──► [Executes payload with server privileges] Anatomy of an Attack If this file is on a web server (e
PHPUnit versions before 4.8.28 and 5.6.3 . Critical Security Actions
: Ensure your /vendor directory is not accessible via the browser. You can do this by moving it outside the web root or adding a restriction in your configuration. How the Vulnerability Works [Attacker POST Request] │
If you are a developer or site owner, you must take immediate action to secure your environment. 1. Remove the Vendor Directory from Public Access
: PHPUnit is a development tool and should generally not be installed on production servers. Use composer install --no-dev when deploying to production to exclude development dependencies like PHPUnit. You can do this by moving it outside
refers to a critical Remote Code Execution (RCE) vulnerability identified as CVE-2017-9841
PHPUnit is a unit testing framework for PHP that allows you to write and execute tests for your code. It's a crucial tool for ensuring that your code works as expected, catching bugs and errors early on, and preventing regressions. With PHPUnit, you can write tests for individual units of code, such as functions, methods, and classes, and then run those tests to verify that your code behaves correctly.
Here are some scenarios where eval-stdin.php is particularly useful:
eval-stdin.php was a helper script used by PHPUnit to evaluate PHP code passed via standard input. It was part of PHPUnit’s internal process isolation mechanism – when running tests in separate processes, PHPUnit would pipe code to this script, which would then eval() it.