1. 3
  1.  

  2. 1

    This is a really weird situation, I’ve never seen anyone putting any PHPUnit files anywhere accessible in a webroot nor anyone reusing the code in a project. I’d say nearly all people use it as a development dependency, so I find this a little puzzling.

    1. 2

      There are two options when this might happen:

      1. You have a project which makes use of composer. This project has phpunit declared in the required-dev composer configuration property. If you install dependencies by yourself using composer install, it will automatically pull the PHPUnit package into your vendor/ folder. For productive deployments, always use composer install --no-dev

      2. You have a project which makes use of composer and the developer mistakenly put PHPUnit in the standard required composer configuration property. Even if you use composer correctly, it will still be in the vendor/ folder.

      The sad fact is, some developers made one of the above mistakes for a big project (or a dependency of a big project), and here is where we are now.

      1. 1

        True, but isn’t this the key line?

        This allows an attacker to run arbitrary code via an HTTP request to eval-stdin.php.

        How do you get from “this file is in the vendors dir” to “it’s accessible over HTTP”? Dependencies outside of your docroot has been a best practice since 10? 15? years?

        Please tell me where my mental error is because “copying arbitrary files into a docroot which shouldn’t be there in the first place” isn’t even an “RCE vulnerability” to me.. The problem seems to be that it’s written in PHP and thus probably/maybe executed when accesses via HTTP, whereas the webserver would probably serve code in any other language as plaintext.

        1. 1

          How do you get from “this file is in the vendors dir” to “it’s accessible over HTTP”? Dependencies outside of your docroot has been a best practice since 10? 15? years?

          Dependencies out of the webroot are not standard. Developers are free to use whatever they want. I looked at Prestashop and it appears not to be the case for them (https://github.com/PrestaShop/PrestaShop). I assume the other product(s) use a similar approach.

          I assume some hosters only give upload access to the webroot, therefore projects bundle everything under one roof. One other example that comes through mind is Wordpress (although I don’t think it uses composer).