The vulnerability discussed in this paper (CVE-2017-9841) specifically targets the eval-stdin.php utility file. This issue highlights a broader security lapse regarding the separation of development tools and production environments.
The exploit uses the eval-stdin.php file to inject malicious PHP code, which is then executed by the PHP interpreter. The eval-stdin.php file is a utility script in PHPUnit that allows evaluating PHP code from standard input.
The php://input stream reads raw data from the body of an HTTP request. By passing this data directly into the eval() function without any sanitization or authentication checks, the script creates a direct pathway for Remote Code Execution (RCE). The Attack Vector
directory is publicly accessible, attackers can call this file directly via a web browser or tool like Alert Logic Support Center
Several factors contribute to its persistence:
: Multiple modules historically included vulnerable copies of PHPUnit within their own directories.
. It allows an unauthenticated remote attacker to execute arbitrary PHP code on a server where PHPUnit is incorrectly exposed in a public web directory. National Institute of Standards and Technology (.gov) Core Mechanism
The eval-stdin.php script reads from the body. The eval() function executes system("ls -la") .
