Index Of Vendor Phpunit Phpunit Src Util Php Evalstdinphp Work

The Persistent Threat of PHPUnit’s eval-stdin.php (CVE-2017-9841)

If REQUEST_METHOD is GET, POST, PUT, or DELETE originating from a web server context (and not CLI), the script returns http_response_code(403) and exits.
This renders the "index of" exposure useless for exploitation.

curl -k -I https://yoursite.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

The exact source from your installed vendor folder, say which PHPUnit version and I can explain differences.
A security review or suggestions to harden it.
A version that writes to a temp file instead of using eval(). Tell me which and I’ll provide it.

Why is this a security risk?

This file is intended for testing purposes only — specifically, to allow PHPUnit to evaluate code in a separate PHP process. However, if this file is accidentally exposed on a production web server, an attacker can: The Persistent Threat of PHPUnit’s eval-stdin

Wellcare will be performing maintenance on Saturday, December 13th, from 6 P.M. EDT to 8 A.M. EDT the next day. You might not be able to access systems or fax during this time. We are sorry for any issues this may cause. Thank you for your patience. If you need assistance, contact us. ×