If you are worried your site has been compromised, it is recommended to review your vendor directory immediately and check server logs for unexpected POST requests to the eval-stdin.php file.
Update PHPUnit to a secure version. The maintainers patched this vulnerability in versions and 5.6.3 . 2. Restrict Web Access to the Vendor Directory
Never install dev dependencies in production.
— Send a benign POST request containing <?php echo "test"; ?> and check if "test" appears in the response. vendor phpunit phpunit src util php eval-stdin.php exploit
"Who keeps PHPUnit in production?" she muttered.
When deploying to production, use the --no-dev flag with Composer: composer install --no-dev --optimize-autoloader Use code with caution.
If the vendor directory is publicly accessible via the web server, an attacker can send an HTTP POST request containing malicious PHP code directly to this file, forcing the server to execute it. How the Attack Works If you are worried your site has been
curl -s -X POST http://target.com/path/to/eval-stdin.php -d "<?php echo 'test'; ?>" | grep test
The server executes the attacker's code, potentially allowing them to steal environment variables (like .env files), access databases, or install persistent malware. Why Is It Still Relevant?
find /var/www -path "*/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -exec ls -la {} \; "Who keeps PHPUnit in production
// malicious.php $ malicious_code = '<?= system("ls -l"); ?>'; $fp = fopen('php://stdin', 'w'); fwrite($fp, $malicious_code); fclose($fp);
<?php system('id'); ?>
The safest and most straightforward remediation is upgrading to a patched version:
PHPUnit is the de facto standard for unit testing in the PHP ecosystem. It helps developers validate that individual components of their applications function as expected. In modern PHP development, PHPUnit is typically installed via Composer, the PHP dependency manager.