Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit ((exclusive)) Official

Title: Exploiting PHPUnit's eval-stdin.php for Remote Code Execution (RCE)

CVE IDs: CVE-2017-9841 (Primary), related to component usage. Affected Component: <phpunit>/src/Util/PHP/eval-stdin.php Severity: Critical (CVSS 9.8) Affected Versions: PHPUnit before 4.8.28 and 5.x before 5.6.3.

---

References

1. PHPUnit Security Advisory (CVE-2017-9841).
2. Composer Documentation: Autoload Optimization.
3. OWASP Guide: File Inclusion and Path Traversal.

A note on "False Positives"

Sometimes, a 200 OK response might come from a custom error handler or a dummy file. To confirm, send a benign mathematical operation: vendor phpunit phpunit src util php eval-stdin.php exploit

curl -X POST https://target.com/eval-stdin.php -d "<?php echo 5*5; ?>"

If the response contains 25, it is 100% vulnerable. Title: Exploiting PHPUnit's eval-stdin

---

Broader lessons and takeaways

• Tooling intended for development (tests, debug utilities) can become critical attack surfaces if deployed carelessly.
• Supply-chain/package managers make it easy to include many files; automated hygiene and deployment pipelines must explicitly strip nonproduction artifacts.
• Security posture requires both dependency management and correct runtime configuration (webserver access rules, least privilege).
• Simple misconfigurations compound with automated exploit availability, turning benign convenience scripts into high-value targets.

Why this was possible

• Composer-managed PHP projects include vendor/ by default; sometimes vendor/ ends up inside webroot due to misconfiguration.
• Test/dev helpers are not intended for production; they may be left accessible after deployment.
• Some teams assumed permission-based restriction or obscurity was sufficient; web-accessible files in vendor/ were overlooked.
• Automated scanners and exploit scripts make discovery and exploitation straightforward.

Why is this so dangerous?

| Factor | Explanation | |--------|-------------| | No authentication | The script requires no login, token, or special header. | | Trivial to find | Attackers use automated scanners to crawl for /vendor/phpunit/.../eval-stdin.php. | | Low attack complexity | Any network-level attacker can exploit it; no user interaction needed. | | Full RCE | Attackers can execute arbitrary system commands, not just PHP functions. | | Privilege context | The script runs with the web server user’s privileges (e.g., www-data), often with read access to files and write access to certain directories. | References

For Developers

Run this command from your project root to see if you are vulnerable:

find . -path "*/phpunit/src/Util/PHP/eval-stdin.php" -exec ls -la {} \;

If the file exists and you are in a production environment, assume compromise.

The Vulnerable Code

The vulnerability exists in the file vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. The contents of the file in vulnerable versions are minimal and look roughly like this:

<?php
/*
 * This file is part of PHPUnit.
 *
 * (c) Sebastian Bergmann <sebastian@phpunit.de>
 */
// ... license header ...
eval('?>' . file_get_contents('php://input'));