Vulnerability
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Mitigation / Precaution
Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
