Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Published: 2019-09-05
Attackers are leveraging a vulnerability patched nearly three years ago to target Drupal sites. Background On September 4, Drupal published PSA-2019-09-04, a public service announcement (PSA) for a vulnerability in a third-party library in a Drupal module that’s being actively exploited in the wild.
https://isc.sans.edu/diary/rss/31528
https://www.infosecurity-magazine.com/news/androxgh0st-botnet-adopts-mozi/
https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/
https://isc.sans.edu/diary/rss/31086
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit
https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html
https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing
https://www.oracle.com/security-alerts/cpuoct2021.html
https://security.gentoo.org/glsa/201711-15
https://github.com/sebastianbergmann/phpunit/pull/1956
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/