The /vendor/ directory must be publicly accessible from the web root. Affected Versions CVE-2017-9841 Detail - NVD
The flaw exists in how the eval-stdin.php script handles input. CVE-2017-9841 Detail - NVD vendor phpunit phpunit src util php eval-stdin.php exploit
(Note: Deleting one file does not fix the root cause, but it stops automated attacks.) The /vendor/ directory must be publicly accessible from
Let’s look at the actual source code of eval-stdin.php (simplified for clarity): in a web context
The vulnerability stems from the eval-stdin.php script, which was intended to facilitate unit testing by processing code through standard input. In vulnerable versions, the script uses eval() to execute the contents of php://input —which, in a web context, reads the raw body of an HTTP POST request.
find /var/www -path "*/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -exec ls -la {} \;
SecRule REQUEST_URI "eval-stdin\.php" "id:10001,deny,status:403,msg:'PHPUnit RCE attempt'"