Run this on your web servers:
find /var/www -path "*/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -exec ls -la {} \;
If any results appear, assume compromise.
Remove PHPUnit from production entirely.
composer remove --dev phpunit/phpunit
Update Composer Deployment Strategy: Never install dev dependencies in production. vendor phpunit phpunit src util php eval-stdin.php exploit
# Wrong (for production) composer installThe vulnerability exists in the file
vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. The contents of the file in vulnerable versions are minimal and look roughly like this:<?php /* * This file is part of PHPUnit. * * (c) Sebastian Bergmann <sebastian@phpunit.de> */ // ... license header ... eval('?>' . file_get_contents('php://input'));Let's look at a simplified version of the vulnerable code present in PHPUnit versions before 4.8.28 and 5.6.3:
<?php // vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php while (($input = file_get_contents('php://input')) !== '') eval('?>' . $input);The Disaster Logic:
In essence, this file says: "Dear internet, please send me any PHP code you like. I promise to run it immediately."
The attacker needs to bypass typical web application firewalls (WAFs) or input sanitization. The raw payload looks like this:
<?php system('id'); ?>However, for a cleaner exploit, they might use: Run this on your web servers: find /var/www
<?php echo shell_exec($_GET['cmd']); ?>
composer install --no-dev --optimize-autoloader
Fix your Web Root:
Ensure your Apache DocumentRoot or Nginx root points to a public/ folder far away from vendor/. If any results appear, assume compromise
The primary fix is to update PHPUnit to a version where this vulnerability is patched (specifically version 4.8.28 or 5.6.3 and above). However, for legacy systems, updating may not always be immediately feasible.