CVE-2017-9841

2025-10-31

128.14.227.179

taiwan 

PHPUnit 

PHPUnit < 4.8.28 and 5.x < 5.6.3 

GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.0
User-Agent: libredtail-http
Host: ████████████
Content-Type: text/plain
Content-Length: 33
X-Forwarded-For: ██████████████
Accept: */*
Upgrade-Insecure-Requests: 1
Connection: close

<?php echo(md5("Hello PHPUnit"));

CVE-2017-9841 is a critical vulnerability in PHPUnit, a widely-used PHP testing framework, that allows remote attackers to execute arbitrary PHP code on vulnerable websites. The vulnerability is found in the Util/PHP/eval-stdin.php file of PHPUnit versions before 4.8.28 and 5.x before 5.6.3. Attackers can exploit this vulnerability by sending HTTP POST data that begins with a "<?php" substring, which is then executed by the server. This can lead to full remote code execution, allowing attackers to take control of the affected server.
The vulnerability has been actively exploited, particularly targeting Drupal sites. Attackers can leverage this vulnerability to install malware, deface websites, steal sensitive information, and perform other malicious activities. The critical nature of this vulnerability is underscored by its high CVSS score of 9.8, indicating severe potential impact on confidentiality, integrity, and availability of the affected systems.
The vulnerability was first patched in November 2016, with fixed versions being 4.8.28 and 5.6.3. However, many systems remain vulnerable due to outdated software or remnants of vulnerable code left on servers. For instance, the presence of the eval-stdin.php file referencing the php://input wrapper instead of the php://stdin wrapper indicates a vulnerable system.
Various cybersecurity organizations, including OVHcloud, Tenable, and FortiGuard Labs, have provided guidance and tools to detect and mitigate this vulnerability. Exploits for CVE-2017-9841 have been published on platforms like Exploit Database and GitHub, making it easier for attackers to target unpatched systems. Therefore, it is crucial for organizations to review their systems and apply necessary patches to mitigate the risk posed by this vulnerability.

Update PHPUnit: Ensure that you are using PHPUnit version 4.8.28 or later, or 5.6.3 or later. This is the primary step to mitigate the vulnerability.
Remove Vulnerable Files: Check your server for the presence of the eval-stdin.php file. If it exists and references the php://input wrapper, remove it immediately.
Block Access to Vulnerable Paths: Configure your web server to block access to the /vendor folder or any other paths that may expose PHPUnit files to the internet.
Use Security Tools: Utilize security tools and plugins provided by cybersecurity firms like Tenable to scan for and identify vulnerable instances of PHPUnit in your infrastructure.
Monitor and Audit: Regularly monitor your systems for any signs of exploitation and audit your codebase to ensure no remnants of vulnerable code are left behind.
Educate and Train: Educate your development and IT teams about the risks associated with this vulnerability and the importance of keeping software up to date.