composer update phpunit/phpunit
That’s it. Just two lines.
| Item | Value | |------|-------| | Vulnerability | Remote Code Execution (RCE) | | CVE | CVE-2017-9841 | | Affected File | vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST to that file with PHP code in body | | Patch | Remove PHPUnit from production / upgrade to PHPUnit ≥ 7.0 | | Detection | grep -r "eval-stdin" /var/www / web logs for POST to that URI | vendor phpunit phpunit src util php eval-stdin.php cve
To mitigate the vulnerability, users should update to PHPUnit version 9.5.0 or later. Additionally, users of earlier PHPUnit versions can apply the following workarounds: composer update phpunit/phpunit That’s it
via web server configuration:
eval('?>' . file_get_contents('php://stdin')); ' . file_get_contents('php://stdin'))