PHPUnit Remote Code Execution Vulnerability

A remote code execution vulnerability exists in PHPUnit versions prior to 4.8.28 and 5.x prior to 5.6.3. The issue arises in the 'eval-stdin.php' file, where the 'eval' function is used to execute PHP code from the HTTP POST request. This vulnerability can be exploited on servers with an exposed '/vendor' directory, allowing access to the vulnerable 'eval-stdin.php' script.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.

Reproduction

To reproduce this vulnerability, install a vulnerable version of PHPUnit (e.g., 5.6.2) using Composer. Then, run a PHP web server with the document root set to the directory containing the vulnerable PHPUnit installation. Once the server is running, send a POST request to the exposed 'eval-stdin.php' file with a payload that includes PHP code, such as a command to echo the value of pi. If successful, the response will include the output of the executed PHP code, demonstrating that arbitrary code execution has been achieved.

Remediation

Users can upgrade to PHPUnit versions 4.8.28, 5.6.3, or 6.x. Alternatively, PHPUnit can be removed from the production environment or the vulnerability can be patched manually by modifying the 'eval-stdin.php' file to use 'php://stdin' instead of 'php://input'.