PHPUnit Remote Code Execution
Description
PHPUnit is a widely-used unit testing framework for PHP applications. Versions 4.x prior to 4.8.28 and 5.x prior to 5.6.3 contain a critical remote code execution vulnerability. The framework's eval-stdin.php file accepts and executes arbitrary PHP code sent via HTTP POST requests when the payload begins with <?php . This vulnerability can only be exploited when the /vendor directory is accessible from the web server's document root, which occurs when PHPUnit is incorrectly deployed to production environments or when web server configurations fail to restrict access to development dependencies.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Mitigation:
• Remove PHPUnit and all contents of the /vendor directory from production environments immediately. Development dependencies should never be deployed to production servers.
• If the vendor directory must remain accessible, configure your web server to block all access to it. For Apache, add this to your configuration or .htaccess file:
<DirectoryMatch "^/.*/vendor/">
Require all denied
</DirectoryMatch>For Nginx, add:location ~ /vendor/ {
deny all;
return 403;
}2. Long-term Solution:
• Use composer install --no-dev when deploying to production to exclude development dependencies entirely
• If you must maintain PHPUnit in your environment for testing purposes, upgrade to version 4.8.28, 5.6.3, or later
• Implement a secure deployment pipeline that separates development and production dependencies
• Regularly audit your web server's document root to ensure no development tools are publicly accessible