|
|
Educational resources of the Internet - Physics. Îáðàçîâàòåëüíûå ðåñóðñû Èíòåðíåòà - Ôèçèêà. |
||
The vulnerability stems from the eval-stdin.php file, which was designed to facilitate unit testing by executing PHP code provided via standard input. ludy-dev/PHPUnit_eval-stdin_RCE - GitHub
POST /vendor/phpunit/phpunit/src/util/php/eval-stdin.php HTTP/1.1 Host: vulnerable-system.com Content-Type: application/x-www-form-urlencoded vendor phpunit phpunit src util php eval-stdin.php cve
The eval-stdin.php file is a part of PHPUnit, used in the context of testing PHP code. It's designed to facilitate testing by evaluating PHP code provided through standard input. However, like any code that executes user-supplied input, it poses a significant risk if not properly sanitized, as it could potentially be exploited to execute arbitrary code. The vulnerability stems from the eval-stdin
A proof-of-concept exploit has been publicly disclosed, demonstrating how an attacker can execute arbitrary code on a vulnerable system. The exploit involves providing malicious input to the eval-stdin.php script, which is then executed by the vulnerable PHPUnit instance. However, like any code that executes user-supplied input,
: PHPUnit versions before 4.8.28 and all 5.x versions before 5.6.3 . Why This Happens
Look for POST requests to: