Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve

Night had a way of pulling secrets out of code.

rm -rf vendor/phpunit/

| Item | Value | |------|-------| | Vulnerability | Remote Code Execution (RCE) | | CVE | CVE-2017-9841 | | Affected File | vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST to that file with PHP code in body | | Patch | Remove PHPUnit from production / upgrade to PHPUnit ≥ 7.0 | | Detection | grep -r "eval-stdin" /var/www / web logs for POST to that URI | vendor phpunit phpunit src util php eval-stdin.php cve

The security implications of a vulnerability in a file like eval-stdin.php within a widely used framework like PHPUnit are significant. A malicious user could potentially exploit such a vulnerability to execute arbitrary PHP code on a server, leading to severe consequences such as:

CVE-2017-9841 affects all PHPUnit versions before the following patched releases: Night had a way of pulling secrets out of code

(or similar paths), which reads PHP code directly from standard input (stdin) and executes it without any authentication or validation. Vulnerability Type: Remote Code Execution (RCE) / Code Injection. CVSS Score: 9.8 (Critical). Affected Versions: PHPUnit before and versions 5.x before National Institute of Standards and Technology (.gov) 2. Why This Happens This vulnerability is typically exploited in production environments directory is accidentally exposed to the public internet.

: The eval() function executes whatever string is passed to it as active PHP code. By wrapping php://input directly inside eval() without validation, PHPUnit created a direct, unauthenticated code injection vector. Vulnerability Type: Remote Code Execution (RCE) / Code

<?php // eval-stdin.php eval('?>' . file_get_contents('php://input')); ?>

If you're using an older branch, ensure you are on at least version 4.8.28 .

Here is a simplified example of the patched code: