Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve Review

<?php echo 'Vulnerable'; ?>

However, two common mistakes led to the disaster:

This file is part of PHPUnit's internal structure and was never intended to be a public-facing web script. Its function is to receive code over php://stdin and execute it with eval() —a necessity for PHPUnit's own internal processes, but catastrophic if done on a web server. vendor phpunit phpunit src util php eval-stdin.php cve

POST /vendor/phpunit/phpunit/src/util/php/eval-stdin.php HTTP/1.1 Host: target.com Content-Length: 23

She wrote a patch: remove the file from packaging, add an explicit exclude to composer.json, blacklist the util/ directory in the build step, and add a unit test that asserts no executable that reads raw stdin and calls eval lands in a release. She crafted a short post in the team’s chat explaining the concrete changes and the risk: “Remote code execution via eval in production — mitigated by excluding debug helper and adding test.” No drama, no finger-pointing. She crafted a short post in the team’s

. This flaw allows an attacker to execute arbitrary PHP code on a server by sending a crafted HTTP POST request to the eval-stdin.php National Institute of Standards and Technology (.gov) 1. Vulnerability Overview The issue stems from the script vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

On the day of the talk, a half-dozen faces appeared on the call, yawning and caffeinated. Marta shared minimal slides: one slide with a diagram of the attack surface, one with the safe alternatives (local-only commands, feature flags, explicit release packaging), and one with a single line of code crossed out: eval($input). She explained how the internals of PHP made eval seductive: immediate, flexible, and dangerously capable. Someone asked a practical question about whitelisting—Marta answered simply: never whitelist inputs to eval; remove eval from release artifacts. Vulnerability Overview The issue stems from the script

| Attribute | Details | | -------------------- | ------------------------------------------------------------- | | | CVE-2017-9841 | | CVSS Score | 9.8 (Critical) | | Vulnerable Files | src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST request to exposed PHPUnit file | | Affected Versions | PHPUnit < 4.8.28 and 5.x < 5.6.3 | | Patched Versions | 4.8.28, 5.6.3, 6.x, and all later releases | | Primary Cause | Insecure use of eval() on user-supplied input | | CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') | | Exploitation | Trivial; public exploits available | | Mitigation | Upgrade PHPUnit, remove from production, block /vendor/ access |

// Simplified representation of the vulnerability in eval-stdin.php eval(file_get_contents('php://input')); Use code with caution. How the Attack Works

Or simply block access to the entire /vendor/ directory:

Long term (weeks–months)