Xdebug remote code execution via xdebug.remote_connect_back

Description
  • Xdebug is an extension for PHP to assist with debugging and development. It was determined that Xdebug is configured with xdebug.remote_connect_back option enabled as shown in the following example.

    xdebug.remote_enable= true
    xdebug.remote_connect_back= true
    xdebug.remote_host= 127.0.0.1 # ignored/disabled
    

    When enabled, the xdebug.remote_host setting is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables to find out which IP address to use.

    If xdebug.remote_addr_header is configured, then the $SERVER variable with the configured name will be checked before the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables.

    Please note that there is no filter available, and anybody who can connect to the webserver will then be able to start a debugging session, even if their address does not match xdebug.remote_host.
Remediation
  • Set xdebug.remote_connect_back to 0 (the default value).

    xdebug.remote_connect_back = 0
References