Xdebug Unauthenticated OS Command Injection Vulnerability

A vulnerability allowing unauthenticated OS command injection exists in Xdebug, a PHP debugging extension, in versions through 2.5.5. When remote debugging is enabled, Xdebug listens on port 9000 and accepts commands without authentication. An attacker can exploit this by sending a crafted eval command to execute arbitrary PHP code, potentially invoking system-level functions. This leads to a full compromise of the host under the web server user's privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running under the web server user's privileges. This could lead to a complete system compromise.

Reproduction

To reproduce this vulnerability, Xdebug must be installed and configured to allow remote debugging. This involves setting 'xdebug.remote_enable' to '1' and 'xdebug.remote_connect_back' to '1' in the php.ini file. Once Xdebug is active, it will connect back to any host that activates it, allowing for the execution of arbitrary PHP code via the debug protocol. The vulnerability can be exploited by sending a request with the 'XDEBUG_SESSION_START' parameter, which triggers Xdebug to connect back and accept commands.

Remediation

Users are advised to update their Xdebug configuration to disable remote debugging or to remove Xdebug from publicly accessible servers. The recommended configuration is to set 'xdebug.remote_enable' to 'false' and 'xdebug.remote_connect_back' to 'false'.