The PHPUnit development team released a patch in version 5.6.3. The fix involved adding a check at the top of the file to ensure it is not being run directly.
Patched Logic:
if (!defined('STDIN'))
// This prevents execution if not run via CLI
exit;
// ... or checking for a specific constant defined by the test runner
The path vendor/phpunit/phpunit/src/Util/PHP/EvalStdin.php indicates that this file is part of a Composer dependency. index of vendor phpunit phpunit src util php evalstdinphp
This file is part of PHPUnit (a testing framework for PHP). It allows arbitrary PHP code execution via standard input when accessed directly, if not properly restricted.
PHPUnit is the de facto standard testing framework for the PHP programming language. In 2017, a critical vulnerability was disclosed allowing unauthenticated attackers to execute arbitrary PHP code on a server simply by sending an HTTP POST request to a specific file. The PHPUnit development team released a patch in version 5
The vulnerability resides in EvalStdin.php, a utility file used by PHPUnit to evaluate code during test execution. Due to a lack of input validation and access control, this file can be triggered directly via a web browser if the vendor directory is publicly accessible. Years after its disclosure, this vulnerability remains one of the most common vectors for automated botnet attacks, cryptocurrency miners, and ransomware deployment on poorly configured web servers.
If you are using a version of PHPUnit prior to 4.8.28 or 5.x < 5.6.3, you must update immediately. The path vendor/phpunit/phpunit/src/Util/PHP/EvalStdin
The presence of the index of listing is a diagnostic gift for attackers. A typical 404 error might hide the vulnerability. But an index of listing confirms:
A simple index of listing turns a potential vulnerability into a confirmed, exploitable breach.
As of my last update, there are a couple of scenarios where eval-stdin.php could pose a risk: