The eval() construct executes any string as PHP code. The ?> tag is a trick to escape from PHP mode, but the net result is catastrophic: any HTTP POST data sent to this script is executed as PHP .
:
This file is part of PHPUnit's internal structure and was never intended to be a public-facing web script. Its function is to receive code over php://stdin and execute it with eval() —a necessity for PHPUnit's own internal processes, but catastrophic if done on a web server.
testing framework when it is accidentally deployed to production environments with its directory publicly accessible. Vulnerable Function : The file eval-stdin.php contained the following code: eval('?> '. file_get_contents('php://input')); : It reads raw data from the HTTP POST body ( php://input ) and passes it directly into the function without any authentication or sanitization. : An attacker can execute arbitrary PHP code (e.g., system("id"); vendor phpunit phpunit src util php eval-stdin.php cve
The Immortal Flaw: Why the vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php CVE (CVE-2017-9841) Still Dominates Threat Logs
The impact of a successful attack is severe, with consequences escalating quickly:
By taking these steps, you can protect your PHP applications and systems from the potential risks associated with CVE-2022-0847. The eval() construct executes any string as PHP code
The vulnerability affects the following PHPUnit versions:
is a critical Remote Code Execution (RCE) vulnerability affecting specific versions of PHPUnit , a widely used unit testing framework for PHP. The flaw resides in the eval-stdin.php script, which utilizes the eval() function to execute PHP code. When this file is accessible over a web server, an attacker can send a POST request with a PHP payload to achieve arbitrary code execution. This vulnerability is cataloged as CWE-94 (Improper Control of Generation of Code, or 'Code Injection') .
A SANS ISC honeypot recorded from a single IP address targeting CVE-2017-9841 over a period, with 92 hits in a single day, demonstrating the persistent scanning activity for this vulnerability. The volume of scanning shows it remains a priority target for automated vulnerability scanners. Its function is to receive code over php://stdin
In vulnerable versions of PHPUnit, the eval-stdin.php script was designed to process standard input data for test executions. However, the code originally accomplished this by evaluating raw input via the following implementation: eval('?>' . file_get_contents('php://input')); Use code with caution.
<?php $input = file_get_contents('php://stdin'); if (strpos($input, '<?php') === 0) eval(substr($input, 5)); // Execute any PHP code passed in the request body