and is frequently targeted by automated bots scanning for exposed directories on web servers. Core Vulnerability Details Vulnerable File: vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php Root Cause: The script uses the PHP function eval('?> ' . file_get_contents('php://input'));
Immediately remove PHPUnit from production web root, or block access to /vendor/ . PHPUnit is a development dependency, never for production web exposure. and is frequently targeted by automated bots scanning
: The eval-stdin.php script allows for the evaluation of PHP code that is piped to it via standard input. This can be particularly useful in certain development or testing workflows. PHPUnit is a development dependency, never for production
, was intended to allow PHPUnit to execute code passed via a "standard input" (stdin) stream during local development and testing. However, when developers leave their , was intended to allow PHPUnit to execute
Because evalStdin.php reads from php://stdin , it will execute whatever PHP code is in the request body. This gives the attacker the same privileges as the web server user (e.g., www-data ).
Article posted by Andrea Cerquozzi , translated by Google Translate
This Blog is not regularly updated, therefore does not represents a newspaper