Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit Work

The vulnerability (CVE-2017-9841) is a Remote Code Execution (RCE) flaw existing in PHPUnit versions prior to and 5.x before 5.6.3 .

When deploying to production, use the --no-dev flag with Composer: composer install --no-dev --optimize-autoloader Use code with caution.

curl -s -X POST http://target.com/path/to/eval-stdin.php -d "<?php echo 'test'; ?>" | grep test

Look for GET or POST requests to paths containing: vendor phpunit phpunit src util php eval-stdin.php exploit

Because different frameworks handle routing and directory structures differently, attackers scan various common paths:

In many shared hosting or poorly configured nginx/Apache setups, the web root points to the project root (where vendor/ lives) instead of a /public subdirectory. This exposes every vendor file to the world.

(Note: Deleting one file does not fix the root cause, but it stops automated attacks.) The vulnerability (CVE-2017-9841) is a Remote Code Execution

The server executes the attacker's code, potentially allowing them to steal environment variables (like .env files), access databases, or install persistent malware. Why Is It Still Relevant?

POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Use code with caution.

An attacker can exploit this by sending a specially crafted HTTP POST request to the vulnerable endpoint. Alert Logic Support Center This exposes every vendor file to the world

Because php://input reads raw data from the body of an HTTP request, a remote attacker can send a POST request containing malicious PHP code.

The exploit works by targeting the eval-stdin.php script in the src/Util directory of PHPUnit. This script is used by PHPUnit to evaluate PHP code sent via standard input. However, due to a vulnerability in the script, an attacker can send malicious PHP code that is executed on the server without proper validation.

The issue arises from a critical oversight in deployment practices. PHPUnit, along with its directory structure (commonly /vendor/phpunit/ ), is meant to be used exclusively in development environments. However, due to the nature of modern PHP development using Composer, the entire /vendor directory—which contains PHPUnit and all third-party libraries—is often deployed alongside the application to production servers. When this directory is web-accessible, it creates a massive security risk. The presence of a single, small script within this directory transforms a harmless testing tool into a fully-fledged backdoor.

Run this command from your project root to see if you are vulnerable: