Look for POST requests to:
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
with payloads containing <?php, system(, exec(, eval(, base64_decode(, etc.
The file src/Util/PHP/eval-stdin.php was intended for internal testing purposes. It contains the following code (simplified):
<?php
eval('?>' . file_get_contents('php://stdin'));
This script reads raw input from php://stdin (standard input) and passes it directly to eval(). No authentication, authorization, or input sanitization is performed.
What goes wrong?
If this script is accidentally exposed to the web (e.g., placed in a publicly accessible vendor/ directory), an attacker can send arbitrary PHP code via POST data or request body. The script will execute that code with the privileges of the web server.
Staying informed about vulnerabilities in your project's dependencies, such as PHPUnit, and regularly updating to patched versions are crucial practices. Employ secure coding practices to minimize exposure to potential threats. If you have specific concerns about a vulnerability or how to secure your application, consider consulting with a cybersecurity professional or referring to detailed guides provided by the software maintainers.