Created
23rd January 2024
Updated
20th May 2024
A remote code execution vulnerability exists in older versions of PHPUnit (4.8.28 to 5.x < 5.6.3), specifically in the eval-stdin.php file. Searches for this file allow an attacker to abuse the RCE using a POST request with a payload in the body.
The RCE abuses an unchecked and unsanitized use of eval, where the contents of php://input are appended to a string.
In normal situations, this file is used by PHPUnit to execute code passed through standard input into the process. The file itself is not malicious but if uploaded to production or publicly accessible hosts, it can be used in an exploitative manner.
Check if your PHPUnit installation has been uploaded to a production or public environment, and determine if it should be there. Consider removing PHPUnit from production or restricting access.