PHP Xdebug Module Unauthenticated RCE (exploit)

Critical Nessus Plugin ID 112210

Synopsis

The remote web server has a PHP debugging extension loaded that is affected by a remote command execution vulnerability.

Description

The PHP Xdebug module installed on the remote host is configured in a vulnerable manner and is less than or equal to version 2.5.5.
Therefore, it is vulnerable to a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.

Solution

Upgrade to Xdebug version 2.60 or later. Additionally, the following line may be removed from the Xdebug configuration:
xdebug.remote_connect_back= true

See Also

http://www.nessus.org/u?bc8ca583

https://paper.seebug.org/397/

https://www.rapid7.com/db/modules/exploit/unix/http/xdebug_unauth_exec

Plugin Details

Severity: Critical

ID: 112210

File Name: xdebug_unauth_rce.nbin

Version: 1.1

Type: remote

Family: CGI abuses

Published: 2018/08/31

Modified: 2018/08/31

Dependencies: 10662

Risk Information

Risk Factor: Critical

CVSS Score Source: manual

CVSS Score Rationale: Unauthenticated system-level access.

CVSSv2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSSv3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:xdebug:xdebug

Excluded KB Items: Settings/disable_cgi_scanning

Exploited by Nessus: true

Patch Publication Date: 2015/11/13

Vulnerability Publication Date: 2015/11/13