Description

Xdebug is an extension for PHP to assist with debugging and development. It was determined that Xdebug is configured with xdebug.remote_connect_back option enabled as shown in the following example.

xdebug.remote_enable= true
xdebug.remote_connect_back= true
xdebug.remote_host= 127.0.0.1 # ignored/disabled

When enabled, the xdebug.remote_host setting is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables to find out which IP address to use.

If xdebug.remote_addr_header is configured, then the $SERVER variable with the configured name will be checked before the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables.

Please note that there is no filter available, and anybody who can connect to the webserver will then be able to start a debugging session, even if their address does not match xdebug.remote_host.

Remediation

Set xdebug.remote_connect_back to 0 (the default value).

xdebug.remote_connect_back = 0

References

Related Vulnerabilities