Summary: Fixed handling of code read from STDIN to prevent PHP parse errors and improve compatibility with heredoc/nowdoc input. Ensures input is trimmed correctly, fallback encoding handling added, and edge-case empty input is safely ignored.
The file eval-stdin.php was historically included in PHPUnit to allow code to be piped into the framework via standard input. However, because this file did not properly verify the source of the input, it allowed anyone who could reach the URL to run PHP commands. Why This is Dangerous
For , inside the location block:
If you see a list of files (including eval-stdin.php ), directory indexing is ON, which multiplies the risk.
curl -X POST -d "<?php echo md5('test'); ?>" https://yourdomain.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php Summary: Fixed handling of code read from STDIN
When executed in a CLI environment, php://input behaves predictably.
PHPUnit is a unit testing framework for the PHP programming language. It is an instance of the xUnit architecture for unit testing frameworks. PHPUnit was written by Sebastian Bergmann and is now maintained by a group of developers as part of The PHP Testers. PHPUnit is one of the most popular testing frameworks for PHP, widely used for ensuring that individual units of source code, typically a function or method, behave as expected. However, because this file did not properly verify
. This critical vulnerability allows remote attackers to execute arbitrary code on a web server without any authentication.
: If you cannot update immediately, you can manually delete the src/Util/PHP/eval-stdin.php file as a temporary fix. Suggested Feature: "Dependency Exposure Guard" PHPUnit is a unit testing framework for the
If successful, the server will output the result of the id command, revealing the system user and group. From there, the attacker can upload webshells, steal database credentials, or pivot to other internal systems.