Page MenuHomePhabricator
Create Task
Maniphest T204424

Toolforge tool "mwstew" vulnerable to PHPUnit remote code execution
Closed, ResolvedPublic
Actions

Description

$ curl --data "<?php echo(pi());" "https://tools.wmflabs.org/mwstew/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"
3.1415926535898

This is CVE-2017-9841 / http://phpunit.vulnbusters.com/

I deleted the problematic file for now (tools.mwstew@tools-bastion-03:~/public_html$ rm vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php), but PHPUnit needs to be upgraded to the latest 4.x release to avoid the issue in the future. Also it would be good to not install dev dependencies with composer install --no-dev.

I noticed this with my new Toolforge vulnerability checker.

Related Objects

Event Timeline

Legoktm created this task.Sep 16 2018, 1:41 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 16 2018, 1:41 AM
Legoktm triaged this task as High priority.Sep 16 2018, 1:43 AM
Legoktm added a project: Toolforge.
Legoktm updated the task description. (Show Details)
Legoktm added a subscriber: Mooeypoo.
Legoktm mentioned this in T203735: Run automated dependency vulnerability checkers regularly against all Toolforge webservice tools.Sep 16 2018, 1:46 AM
GTirloni added a project: cloud-services-team (Kanban).Mar 24 2019, 12:04 PM
Mooeypoo added a comment.Mar 24 2019, 11:48 PM

Eek, thank you. I'm generally reworking this tool but it is taking me quite a while since it's done on the side... I'll need to make sure I'm not updating composer on dev, though.

Phamhi claimed this task.Nov 13 2019, 2:28 PM
Phamhi closed this task as Resolved.Nov 14 2019, 12:22 PM

I checked and phpunit has been removed from mwstew tool.

chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 28 2021, 12:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits