Xdebug remote code execution via xdebug.remote_connect_back
Description
Xdebug is a debugging and development extension for PHP. When the xdebug.remote_connect_back configuration option is enabled, Xdebug automatically establishes debugging connections to the IP address of the client making the HTTP request, rather than using the configured xdebug.remote_host value. This IP address is determined by examining HTTP headers such as X-Forwarded-For or the client's remote address. Because this feature lacks any authentication or IP filtering mechanism, any client capable of reaching the web server can initiate a debugging session and potentially execute arbitrary PHP code on the server. This configuration is particularly dangerous in production environments or when the server is accessible from untrusted networks.
Remediation
Disable the xdebug.remote_connect_back setting immediately, especially in production environments. This option should be set to 0 (disabled) in your PHP configuration file (php.ini or Xdebug-specific configuration):
xdebug.remote_connect_back = 0
Additionally, implement the following security measures:
- Remove or disable Xdebug entirely in production environments, as it is intended only for development purposes
- If Xdebug must be used, explicitly configure xdebug.remote_host to a specific trusted IP address rather than relying on automatic detection
- Ensure xdebug.remote_enable is set to 0 in production
- Use environment-specific configuration files to prevent debugging extensions from being loaded in production
- Regularly audit your PHP configuration to ensure debugging tools are not inadvertently enabled
After making configuration changes, restart your web server to apply the new settings and verify the changes by checking the output of phpinfo() or reviewing the active configuration.