This indicates an attack attempt against a Remote Code Execution vulnerability in PHPUnit.The vulnerability, which is located in Util/PHP/eval-stdin.php, can be exploited via a HTTP POST request. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application.

From the email I was able to conclude that the jeweler's online shop is based on WordPress as well as the WooCommerce plugin for WordPress and the Google Product Feed plugin for WooCommerce. One or more of these components was distributed together with (an outdated version of) PHPUnit, which contained the file eval-stdin.php. In the course of an automated scan for files that contain known security vulnerabilities such as CVE-2017-9841, the jeweler's hosting provider discovered the file eval-stdin.php, took the jeweler's host offline, and then informed the person responsible about this measure.

eval-stdin

The jeweler's employee responsible for the online shop looked at the contents of the file eval-stdin.php. After all, the hosting provider had explicitly referred to this file. In this file he found a copyright header with my name and my email address. Then he wrote me. Believing that I was responsible for the file being on his web server.

The file eval-stdin.php was added to PHPUnit in November 2015 in order to be able to run tests in separate PHP processes even if the PHP debugger phpdbg is used instead of the regular command line interpreter (php).

If you make eval-stdin.php publicly accessible on a web server, this file can be used for a Remote Code Execution attack, since in this context php://input provides access to, for example, HTTP POST payload data that is sent from the HTTP client to the web server. On June 27, 2017, the entry CVE-2017-9841 for this attack vector was added to the Common Vulnerabilities and Exposures database.

In retrospect, you are always smarter and it would probably have made sense to limit the execution of eval-stdin.php to cli and phpdbg from the start. However, such a limitation should not be necessary at all, since there is no reason to run PHPUnit outside the context of the development environment and command line. Rather, it is irresponsible if PHPUnit is available in contexts other than those mentioned.

I was contacted by the vendor of PrestaShop, an Open Source E-Commerce software, on January 6, 2020. They informed me that eval-stdin.php can be exploited for remote code execution when PHPUnit is publicly available on the web server and FastCGI is used to integrate PHP with that web server.

On January 7, 2020, a critical vulnerability in PrestaShop was made public. The root cause for this security vulnerability was the fact that PrestaShop was distributed with PHPUnit and therefore contained the eval-stdin.php script.

It irks me that I did not notice that eval-stdin.php can be deleted back in July 2018. As of PHPUnit 7.5.20 and PHPUnit 8.5.2 , released on January 8, 2020, the file eval-stdin.php is finally no longer a part of PHPUnit.

A vulnerability classified as critical has been found in PHPUnit up to 4.8.27/5.6.2. This affects an unknown function of the file Util/PHP/eval-stdin.php of the component HTTP POST Handler. The manipulation with an unknown input leads to a code injection vulnerability. CWE is classifying the issue as CWE-94. The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. This is going to have an impact on confidentiality, integrity, and availability.

By approaching the search of inurl:Util/PHP/eval-stdin.php it is possible to find vulnerable targets with Google Hacking. The vulnerability scanner Nessus provides a plugin with the ID 104693 (FreeBSD : mediawiki -- multiple vulnerabilities (298829e2-ccce-11e7-92e4-000c29649f92)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks and running in the context local. The commercial vulnerability scanner Qualys is able to test this issue with plugin 277023 (Fedora Security Update for mediawiki (FEDORA-2017-59251d350d)). 2ff7e9595c