If you have discovered an "Index of" page or are seeing requests for eval-stdin.php in your server logs, your application is likely being scanned for a well-known vulnerability in older versions of PHPUnit . The Critical Flaw
, a tool the developers used months ago to test their code before it went live. They had finished their work and moved on, but they made a fatal mistake: they left the "testing tools" on the production server, and they left them web-accessible.
The web server's public folder is pointing to the root project directory instead of the specific public or web folder. If you have discovered an "Index of" page
In PHPUnit (versions 6.x to 9.x), the file eval-stdin.php serves a legitimate internal purpose:
| Part | Meaning | |------|---------| | index of | Directory listing (often from misconfigured Apache/nginx) | | vendor | Composer dependencies folder | | phpunit | PHPUnit testing framework | | phpunit/src | Source code of PHPUnit | | util | Utilities folder | | eval-stdin.php | A script that executes PHP code from standard input | | work | Intention – how this script functions | The web server's public folder is pointing to
When deploying to a live production server, developers should run: composer install --no-dev Use code with caution.
: High-profile malware like Androxgh0st continues to target this specific vulnerability to gather information and spread. 🛠️ How to Fix It Immediately vulhub/phpunit/CVE-2017-9841/README.md at master - GitHub and they left them web-accessible.
Index of /vendor/phpunit/phpunit/src/Util/PHP/ [ICO] eval-stdin.php 2021-09-01 12:00 1.2K
I can show you how to
A typical automated attack payload targeting this vulnerability looks like this: