| Q | A
| --------------------| ---------------
| PHPUnit version | I don't know
| PHP version | 7.1.15
| Installation Method | Composer
I don't have phpunit in this project (wordpress site) and my vendor isn't exposed to internet, but I think that this can be a problem, what you think guys?
This is report from my WAF.
Time: 3 May 2018 12:59:35
Session: This is secret
Client: Unclassified, from France (212.xxx.yyy.zzz)
User agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML...
Entry page: my.domain/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Requests: 1
URL: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (POST)
Status: Blocked by security rules
Post: a=%3c%3fphp%20echo%2800000%200000006832%29%3b
Incident ID: Other secret
https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/eval-stdin.php
If you upload PHPUnit to a production webserver then your deployment process is broken.
@joubertredrat you should not serve vendor / node_modules folders.
try to edit your http server config to return some error codes for those folders
If you upload PHPUnit to a production webserver then your deployment process is broken.
This is a common attack used by hackers looking for machines to break into.
From your comment it is clear that you have zero intention of doing anything to mitigate this well known and damaging attack.
This is one more reason never to use PHP. The PHP community don't get security,
and are happy to shrug their shoulders and leave massive vulnerabilities open.
Most helpful comment
If you upload PHPUnit to a production webserver then your deployment process is broken.