 Welcome In The Bikini Bottom |
     |
Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit Site
RUN rm -f vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
The root cause is deploying composer with the --dev flag or not using --no-dev in production. Many developers run composer install (which installs everything) on a live server. PHPUnit, being a require-dev dependency by default, ends up in the public web root. vendor phpunit phpunit src util php eval-stdin.php exploit
The most definitive fix is upgrading PHPUnit to a secure version. The flaw was resolved in the following versions: PHPUnit 4.8.36 and higher PHPUnit 5.7.21 and higher All versions of PHPUnit 6 onwards Run Composer to update your packages: composer update phpunit/phpunit Use code with caution. 2. Remove Development Dependencies from Production RUN rm -f vendor/phpunit/phpunit/src/Util/PHP/eval-stdin
Using curl , an attacker can execute system commands: The most definitive fix is upgrading PHPUnit to
This script allowed PHPUnit to run code subprocesses locally during testing suites via the command line interface (CLI).