If you are running a legacy system and are unsure if you are exposed, checking your composer.lock file for the affected PHPUnit versions is the best first step. Proactive Steps to Proceed:
rm vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
(if used in production – which it shouldn’t be): vendor phpunit phpunit src util php eval-stdin.php cve
: An attacker can send a crafted HTTP POST request containing PHP code starting with
The exploitation process is simple, involving just a few steps. If you are running a legacy system and
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: victim.com
<?php $input = file_get_contents('php://stdin'); if (strpos($input, '<?php') === 0) eval(substr($input, 5)); // Execute any PHP code passed in the request body These modules included PHPUnit as a dependency, making
A notable real-world impact was on using the Mailchimp and Mailchimp E-Commerce modules. These modules included PHPUnit as a dependency, making over 25,000 sites vulnerable. Attackers exploited the flaw to compromise these Drupal sites, leading Drupal to issue a public service announcement (PSA-2019-0904).
Run composer install --no-dev to ensure development tools like PHPUnit are never deployed to production.
The vulnerability associated with vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php CVE-2017-9841 , a critical Remote Code Execution (RCE) National Institute of Standards and Technology (.gov) Core Vulnerability Details This flaw exists in the
If your site displays the PHP info page, you are vulnerable. 2. Mitigation Steps
