Phpunit: Possible security break on file
| Q | A
| --------------------| ---------------
| PHPUnit version | I don't know
| PHP version | 7.1.15
| Installation Method | Composer
I don't have phpunit in this project (wordpress site) and my vendor isn't exposed to internet, but I think that this can be a problem, what you think guys?
This is report from my WAF.
Time: 3 May 2018 12:59:35
Session: This is secret
Client: Unclassified, from France (212.xxx.yyy.zzz)
User agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML...
Entry page: my.domain/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Requests: 1
URL: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (POST)
Status: Blocked by security rules
Post: a=%3c%3fphp%20echo%2800000%200000006832%29%3b
Incident ID: Other secret
https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/eval-stdin.php
joubertredrat
All 4 comments
joubertredrat
on 3 May 2018
If you upload PHPUnit to a production webserver then your deployment process is broken.
sebastianbergmann
on 3 May 2018
@joubertredrat you should not serve vendor / node_modules folders.
try to edit your http server config to return some error codes for those folders
Izopi4a
on 8 May 2018
If you upload PHPUnit to a production webserver then your deployment process is broken.
This is a common attack used by hackers looking for machines to break into.
From your comment it is clear that you have zero intention of doing anything to mitigate this well known and damaging attack.
This is one more reason never to use PHP. The PHP community don't get security,
and are happy to shrug their shoulders and leave massive vulnerabilities open.
amnonbc
on 20 Mar 2020
Related issues
AnmSaiful
·
4Comments
kunjalpopat
·
4Comments
dkarlovi
·
3Comments
nicklevett
·
4Comments
stof
·
3Comments
Most helpful comment
If you upload PHPUnit to a production webserver then your deployment process is broken.