Index Of Vendor Phpunit Phpunit Src Util Php Evalstdinphp -

Disclaimer: Only scan systems you own or have explicit permission to test.

Security teams can use the exact keyword string with slight variations to audit their own infrastructure:

Google Dorks (Now deprecated, but works on Bing or custom crawlers):

intitle:"index of" "eval-stdin.php"
intitle:"index of" "vendor/phpunit"
"parent directory" "eval-stdin.php"

Automated Scanning with grep or nuclei: Nuclei has a specific template for this vulnerability: index of vendor phpunit phpunit src util php evalstdinphp

id: CVE-2017-9841
info:
  name: PHPUnit - RCE
requests:
  - method: POST
    path:
      - "BaseURL/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"
    body: "<?php echo 'vulnerable'; ?>"

Manual Check:

Exploiting this vulnerability is trivial and requires no authentication or sophisticated exploit chains.

PHPUnit is a unit testing framework for PHP. It is widely used in the PHP development community to ensure that code behaves as expected. The framework includes various utilities and functionalities to facilitate comprehensive testing. One such utility file is eval-stdin.php located within the src/Util/PHP directory of PHPUnit. Disclaimer: Only scan systems you own or have

The purpose of eval-stdin.php is to evaluate PHP code provided through standard input. This functionality can be useful for executing PHP code snippets dynamically, which might be necessary in certain testing scenarios or when integrating PHPUnit with other tools.

The file was designed to be invoked internally by PHPUnit’s test runners. It was never intended to be called directly by an end-user. However, the script lacks a "guard clause" (e.g., if (!defined('PHPUNIT_TESTING')) die();).

Consequently, if the web server (Apache, Nginx, IIS) is configured to serve files inside the vendor directory, an attacker can request this URL. The PHP interpreter loads the file, reads the attacker's POST body via php://input, and passes it directly to the dangerous eval() function. Automated Scanning with grep or nuclei : Nuclei

The file EvalStdin.php is a utility class used by PHPUnit internally. Its legitimate purpose is to facilitate the execution of test cases by reading PHP code from the standard input (STDIN) and evaluating it within an isolated process.

The file typically contains logic similar to this simplified snippet:

// Simplified representation of the vulnerable logic
if (defined('STDIN')) 
    $code = stream_get_contents(STDIN);
    eval($code);

This functionality is designed to help developers run isolated unit tests, but the use of eval() is inherently dangerous if the input is not strictly controlled.

  • Used internally by PHPUnit; not intended as a general-purpose REPL.

    • This file was never intended for production use. It belongs to PHPUnit’s testing suite, designed to run unit tests locally on a developer’s machine.

    If a server runs PHPUnit version <= 5.6.2, eval-stdin.php exists and is callable via HTTP.