When left exposed on a live production server, this directory allows remote attackers to execute arbitrary code. This article explains what this exposure means, how attackers exploit it, and how to secure your server. What is PHPUnit and eval-stdin.php ?
Securing your site requires preventing direct access to the vendor directory. 1. Configure Web Server to Block Access
Place vendor and composer.json one level above your document root. 2. Configure Directory Indexing
You might have seen this in:
Because eval-stdin.php executes whatever code is sent to it, an attacker does not need a username or password to compromise the system. They can send a simple HTTP POST request to the exposed file:
在一些配置不当的 Web 服务器上,当访问一个没有 index.html 的目录时,服务器会列出该目录下的所有文件。如果攻击者发现访问 https://target.com/vendor/phpunit/phpunit/src/Util/PHP/ 出现了一个包含 eval-stdin.php 的文件列表,他就直接锁定了漏洞目标。
Then physically delete any leftover folders: When left exposed on a live production server,
This specific path, /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php , is associated with , a critical Remote Code Execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary code on a server. Understanding the Vulnerability: CVE-2017-9841
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
The vulnerability affects PHPUnit versions before 4.8.28 and 5.x before 5.6.3. Update your dependencies via Composer to ensure you are running a patched version: composer update phpunit/phpunit Use code with caution. 2. Remove Development Dependencies from Production Securing your site requires preventing direct access to
When executed in a CLI environment, php://input behaves predictably.
Open a browser or use curl to request:
PHPUnit is a popular testing framework for PHP applications. The specific file, eval-stdin.php eval-stdin.php A: No.
A: No. PHPUnit is a well‑maintained testing framework. The danger arises only when development tools (especially those that execute arbitrary code) are exposed on a public web server.
In Nginx: