Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve < iPhone DELUXE >

CVE ID: CVE-2017-9841
CVSS Score: 9.8 (Critical)
Affected Versions: PHPUnit 4.x, 5.x, 6.x (specific subversions before the patch)
Vector: Network
Complexity: Low
Privileges Required: None
User Interaction: None

Let's examine the original vulnerable source code of eval-stdin.php: vendor phpunit phpunit src util php eval-stdin.php cve

<?php
// Original vulnerable code (simplified)
eval('?>'.file_get_contents('php://input'));

That’s it. Just two lines.

What does it do?

The critical mistake: The eval() construct executes any string as PHP code. The ?> tag is a trick to escape from PHP mode, but the net result is catastrophic: any HTTP POST data sent to this script is executed as PHP. CVE ID: CVE-2017-9841 CVSS Score: 9

Search your codebase for unsafe patterns: That’s it

grep -r "php://input" vendor/phpunit/
grep -r "eval-stdin" vendor/