Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve ^new^ | Fully Tested

The Anatomy of a Critical Vulnerability: Dissecting vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (CVE-2017-9841)

For System Administrators

1. Check for the file:

   find /var/www/html -name "eval-stdin.php" -type f
   

2. Check web server logs for suspicious POST requests:

   grep "eval-stdin.php" /var/log/nginx/access.log | grep "POST"
   grep "eval-stdin.php" /var/log/apache2/access.log
   

3. Look for anomalies:

   • Unexpected files in upload directories (shells like cmd.php, x.php)
   • Unusual processes running (curl, wget, nc, bash)
   • Outbound connections on non-standard ports

CVE-2017-9841

This is the primary vulnerability associated with that file path.

• Component: vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• Affected Versions: PHPUnit before 4.8.28 and 5.x before 5.6.3.
• Vulnerability Type: Remote Code Execution (RCE).

4. Why Does This Happen?

• Misplaced development artifacts: PHPUnit is a development dependency. It should never be installed on a production server. However, many projects run composer install --no-dev incorrectly or not at all, leaving development tools in production.
• Public vendor directory: Many developers expose the entire vendor/ directory in the web root without proper .htaccess or web server rules to block access.
• Lack of input validation: The script blindly executes any input.

How the Vulnerability Works

The vulnerability exists because the eval-stdin.php file allows execution of arbitrary PHP code via the HTTP POST body. vendor phpunit phpunit src util php eval-stdin.php cve

1. The Flaw: The file contains logic that reads data from php://stdin (standard input) and passes it directly to the eval() function.
2. The Attack Vector: If this file is accessible via a web request (e.g., a user visits http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php in a browser), the server will execute any code sent in the body of the HTTP POST request.
3. Impact: Attackers can execute arbitrary code on the server with the privileges of the web server user (often www-data or apache). This allows them to take control of the system, steal data, or deface the website.

8. Remediation Steps

1. Update PHPUnit (if used in production – which it shouldn’t be):

   composer require --dev phpunit/phpunit:^5.6.3
   

2. Remove PHPUnit from production entirely: Check for the file : find /var/www/html -name "eval-stdin

   composer install --no-dev
   

3. Block access to /vendor/ via web server configuration:

   • Apache (.htaccess):

     <Directory "vendor">
         Require all denied
     </Directory>
     

   • Nginx:

     location ~ /vendor/ 
         deny all;
         return 403;
     

4. Scan for backdoors if the server was previously vulnerable. Check web server logs for suspicious POST requests: