Xdebug remote code execution via xdebug.remote_connect_back
Description
Xdebug is an extension for PHP to assist with debugging and development. It was determined that Xdebug is configured with xdebug.remote_connect_back option enabled as shown in the following example.
xdebug.remote_enable= true
xdebug.remote_connect_back= true
xdebug.remote_host= 127.0.0.1 # ignored/disabled
When enabled, the xdebug.remote_host setting is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables to find out which IP address to use.
If xdebug.remote_addr_header is configured, then the $SERVER variable with the configured name will be checked before the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables.
Please note that there is no filter available, and anybody who can connect to the webserver will then be able to start a debugging session, even if their address does not match xdebug.remote_host.
Remediation
Set xdebug.remote_connect_back to <strong>0</strong> (the default value). <br/><br/> <code> xdebug.remote_connect_back = 0 </code>