Description

Xdebug is an extension for PHP to assist with debugging and development. It was determined that Xdebug is configured with xdebug.remote_connect_back option enabled as shown in the following example. 

xdebug.remote_enable= true
xdebug.remote_connect_back= true
xdebug.remote_host= 127.0.0.1 # ignored/disabled

When enabled, the xdebug.remote_host setting is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables to find out which IP address to use.

If xdebug.remote_addr_header is configured, then the $SERVER variable with the configured name will be checked before the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables.

Please note that there is no filter available, and anybody who can connect to the webserver will then be able to start a debugging session, even if their address does not match xdebug.remote_host.

Remediation

Set xdebug.remote_connect_back to 0 (the default value).

xdebug.remote_connect_back = 0

References

xdebug.remote_connect_back

xpwn - exploiting xdebug enabled servers

Related Vulnerabilities

Unrestricted access to Prometheus Metrics

Squid Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-12529)

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.39)

PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-2100)

CodeIgniter development mode enabled

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Configuration Acumonitor Code Execution