Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve ❲No Survey❳

The original code used a dangerous combination of functions: eval('?> ' . file_get_contents('php://input')); Use code with caution. Copied to clipboard

When it comes to scripts like eval-stdin.php , which might use eval() or similar functions: vendor phpunit phpunit src util php eval-stdin.php cve

The file was small: a handful of lines that read STDIN and eval’d it. It was meant as a convenience for debugging, a way to run snippets against the app’s runtime. In development, on a trusted machine, it could be a gentle godsend. Left in production, exposed behind a route or a composer bin stub, it was an invitation for disaster. The original code used a dangerous combination of

: Remote Code Execution (RCE) / Code Injection Severity : Critical (CVSS v3.1: 9.8) It was meant as a convenience for debugging,

| Item | Value | |------|-------| | Vulnerability | Remote Code Execution (RCE) | | CVE | CVE-2017-9841 | | Affected File | vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST to that file with PHP code in body | | Patch | Remove PHPUnit from production / upgrade to PHPUnit ≥ 7.0 | | Detection | grep -r "eval-stdin" /var/www / web logs for POST to that URI |

find . -path "*/phpunit/src/Util/PHP/eval-stdin.php"