A critical remote code execution (RCE) vulnerability exists in older versions of PHPUnit, a popular testing framework for PHP.The flaw is located in the util/php/eval-stdin.php file.Attackers actively target this file to execute arbitrary PHP code on vulnerable web servers.This security gap usually occurs when developers accidentally deploy development dependencies, like PHPUnit, to production environments. The Root Cause of the Vulnerability
Within the PHPUnit source code, specifically in versions before 4.8.28 and 5.x before 5.6.3, there exists a utility file designed to facilitate a specific type of test called a "Runnable test." The file path is:
The exploitation process can be broken down into three distinct steps: vendor phpunit phpunit src util php eval-stdin.php exploit
| Aspect | Summary | |--------|---------| | | Unauthenticated RCE via eval-stdin.php (CVE-2017-9841) | | Affected Versions | PHPUnit <4.8.28 and <5.6.3 | | CVSS Score | 9.8 (Critical) | | Attack Vector | HTTP POST to /vendor/phpunit/.../eval-stdin.php | | Impact | Full server compromise, data breach, malware deployment | | Active Threats | Androxgh0st malware, mass scanning campaigns | | Remediation | Upgrade to ≥4.8.28/5.6.3, remove PHPUnit from production, restrict access to /vendor |
Attackers use automated scanners to find vulnerable sites, meaning it is not a targeted attack, but a widespread campaign. A critical remote code execution (RCE) vulnerability exists
src/util/php/eval-stdin.php : This part of the command points to a specific PHP script within the project, located at src/util/php/eval-stdin.php . The eval-stdin.php script suggests it might be designed to evaluate PHP code provided through standard input.
Versions 4.8.28, 5.6.3, and all later (including 6.x and beyond) are patched and safe. The eval-stdin
PHPUnit is a popular programmer-oriented testing framework for PHP. To execute tests in isolated environments, PHPUnit utilizes a utility script called eval-stdin.php . The Core Vulnerability