curl -d "<?php system('id'); ?>" http://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
If your web server configuration allows directory listing (e.g., Options +Indexes in Apache), and the vendor folder is inside your web root (e.g., /var/www/html/vendor ), an attacker can simply visit:
Let’s break down what this means and why it matters for web application security.
Check access logs for requests to eval-stdin.php or unexpected processes/cron entries. curl -d "<
If this file is accessible via a web browser (an "Index of" page or direct URL), it indicates that your server's vendor folder is exposed to the public internet, which is a significant security risk. Why This File is Dangerous
PHPUnit is the de facto standard for unit testing in PHP. It is almost always installed via Composer and ends up inside the vendor/phpunit/phpunit/ directory of a PHP project.
The technical fault lies inside the way eval-stdin.php was engineered to handle standard input. The original script contained code structurally equivalent to: eval('?>' . file_get_contents('php://input')); Use code with caution. Why This File is Dangerous PHPUnit is the
Run this command via SSH or server terminal:
Adhering to strict production security practices—such as excluding development tools and restricting public access to sensitive directories—is crucial. As discussed on Reddit's r/PHP , this is a long-standing vulnerability frequently targeted by automated botnets. Configure web servers to deny access to /vendor/ .
When they find an exposed endpoint, they send a POST request containing malicious PHP code in the request body. Because the file reads from standard input ( php://stdin ), it executes the payload immediately. This grants the attacker full control over the web server application. Consequences of an Exploitation As discussed on Reddit's r/PHP
This file is intended for — specifically, to allow PHPUnit to evaluate code in a separate PHP process. However, if this file is accidentally exposed on a production web server, an attacker can:
Update your deployment pipelines to ensure development dependencies are excluded.