The danger of eval-stdin.php is so well-known that it has been assigned . The description: "PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php tag, as demonstrated by an attack on a site with an exposed /vendor folder."
index of vendor phpunit phpunit src util php eval-stdin.php index of vendor phpunit phpunit src util php eval-stdin.php
file_get_contents('php://input') reads raw, unvalidated data directly from the body of an incoming HTTP POST request. The danger of eval-stdin
The core of the vulnerability lies in the simplicity of the eval-stdin.php script. The file contains logic similar to the following: index of vendor phpunit phpunit src util php eval-stdin.php
require 'vendor/autoload.php';