Description
Xdebug is an extension for PHP to assist with debugging and development. It was determined that Xdebug is configured with xdebug.remote_connect_back option enabled as shown in the following example.
xdebug.remote_enable= true
xdebug.remote_connect_back= true
xdebug.remote_host= 127.0.0.1 # ignored/disabled
When enabled, the xdebug.remote_host setting is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables to find out which IP address to use.
If xdebug.remote_addr_header is configured, then the $SERVER variable with the configured name will be checked before the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] variables.
Please note that there is no filter available, and anybody who can connect to the webserver will then be able to start a debugging session, even if their address does not match xdebug.remote_host.
Remediation
Set xdebug.remote_connect_back to 0 (the default value).
xdebug.remote_connect_back = 0
References
Related Vulnerabilities
Python Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2183)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2151)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1159)
PHP opcache-status page publicly accessible
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-1914)