Protecting against the eval-stdin.php exploit requires a defense-in-depth approach. 1. Update PHPUnit
The server has just executed the id command. The attacker now has Remote Code Execution (RCE).
# Wrong (for production) composer install vendor phpunit phpunit src util php eval-stdin.php exploit
The vulnerability (CVE-2017-9841) is a Remote Code Execution (RCE) flaw existing in PHPUnit versions prior to and 5.x before 5.6.3 .
The vulnerability exists in PHPUnit versions before and 5.x before 5.6.3 . Protecting against the eval-stdin
This helper file was intentionally designed by PHPUnit developers to handle unit testing operations across process boundaries by executing PHP code passed via an input stream. However, the core execution mechanism contains a devastatingly simple design flaw: eval('?>' . file_get_contents('php://input')); Use code with caution. Why php://input Is Dangerous in Web Contexts
She added a line to every Dockerfile after that: The attacker now has Remote Code Execution (RCE)
The vulnerability stems from an insecure eval() function call combined with improper input validation. The script checks only that the POST data starts with <?php — after that, it will execute . There is no authentication, no authorization check, and no additional validation.