The vulnerability was discovered in 2016, and the fix has been available ever since. Yet, misconfigured servers continue to expose this file, and attackers continue to exploit it. The only way to stay safe is to treat the vendor/ directory as untouchable by the web server, to patch PHPUnit to a safe version, and to treat every index of listing as an urgent security incident.
The stream wrapper php://input reads raw data directly from the body of an HTTP POST request. When an application's root web directory incorrectly includes the vendor folder, an unauthenticated remote attacker can submit a standard web request directly to this file: index of vendor phpunit phpunit src util php evalstdinphp
Your server configuration is too permissive. The vulnerability was discovered in 2016, and the
Navigate to https://yourdomain.com . If you see a blank page (HTTP 200) instead of a 404 Not Found error, your site is vulnerable. The stream wrapper php://input reads raw data directly
<IfModule mod_rewrite.c> RewriteRule ^vendor/.*$ - [F,L] </IfModule>