CVE-2017-9841
CVE-2017-9841
In short
PHPUnit's eval-stdin.php script allows attackers to execute arbitrary PHP code by sending specially crafted HTTP POST requests. This is critical because it gives complete control over the server to anyone who can access the exposed file.
Technical detail
A remote code execution vulnerability in PHPUnit versions before 4.8.28 and 5.x before 5.6.3 exists in the eval-stdin.php utility script, which unsafely evaluates PHP code from POST data. An unauthenticated attacker can exploit this if the /vendor directory is publicly accessible, achieving arbitrary code execution on the server with the privileges of the web process.
Summary generated and translated by AI from the official description.
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 19
githubgithub.com/RandomRobbieBF/phpunit-brute★ 30githubgithub.com/incogbyte/laravel-phpunit-rce-masscaner★ 23githubgithub.com/Chocapikk/CVE-2017-9841★ 7githubgithub.com/ludy-dev/PHPUnit_eval-stdin_RCE★ 6githubgithub.com/K3ysTr0K3R/CVE-2017-9841-EXPLOIT★ 6githubgithub.com/drcrypterdotru/PHPUnit-GoScan★ 5githubgithub.com/MadExploits/PHPunit-Exploit★ 5githubgithub.com/MrG3P5/CVE-2017-9841★ 4githubgithub.com/p1ckzi/CVE-2017-9841★ 3githubgithub.com/akr3ch/CVE-2017-9841★ 3githubgithub.com/dream434/CVE-2017-9841★ 1githubgithub.com/joelindra/CVE-2017-9841★ 1githubgithub.com/mbrasile/CVE-2017-9841★ 0githubgithub.com/cyberharsh/Php-unit-CVE-2017-9841★ 0githubgithub.com/jax7sec/CVE-2017-9841★ 0githubgithub.com/mileticluka1/eval-stdin★ 0githubgithub.com/MR-LeonardoGomes/CVE-2017-9841★ 0githubgithub.com/krisdewa/CVE-2017-9841-PHPUnit-Remote-Code-Execution-PoC★ 0exploitdbwww.exploit-db.com/exploits/50702unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5https://github.com/sebastianbergmann/phpunit/pull/1956https://security.gentoo.org/glsa/201711-15https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9841https://www.oracle.com/security-alerts/cpuoct2021.htmlhttp://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/http://www.securityfocus.com/bid/101798http://www.securitytracker.com/id/1039812