Automated scanners use search queries (like the one in the title of this article) to find open directories listing the PHPUnit path. Step-by-Step Remediation
该漏洞的核心问题在于一个文件—— eval-stdin.php 。其路径通常为:
In PHPUnit (versions 6.x through 9.x), this file is a small wrapper script used for of PHP code. It reads PHP code from standard input and evaluates it.
Options -Indexes
: PHPUnit is a development tool and should generally not be installed on production servers. Use composer install --no-dev when deploying to production to exclude development dependencies like PHPUnit.
In effect, the script accepts any PHP code sent to it via a POST request and executes it directly on the server. The only condition is that the submitted data must begin with <?php .
For , in your .htaccess or virtual host configuration: Automated scanners use search queries (like the one
Once the file's location is confirmed, an attacker can send a simple HTTP POST request to that URL to execute arbitrary commands. The following curl command demonstrates a Proof of Concept (PoC) that instructs the server to calculate and return the number pi (π), confirming code execution:
is a popular framework used by developers to test PHP code during development. It is meant to be run locally or within isolated testing environments.
If you cannot move your directory structure immediately, manually delete the offending file: rm vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 4. Disable Directory Browsing Options -Indexes : PHPUnit is a development tool
That’s it. The script reads whatever is sent to its standard input and passes it directly to eval() . In the context of a command‑line test environment, this is harmless (even useful) because it allows PHPUnit to evaluate code snippets from pipes or process substitution.
: If you're integrating this into a PHPUnit test or configuration, ensure that you're referencing the correct path and that your environment allows for the execution of scripts from the vendor directory.