PHP Xdebug Module Unauthenticated RCE (exploit)
Critical Nessus Plugin ID 112210
SynopsisThe remote web server has a PHP debugging extension loaded that is affected by a remote command execution vulnerability.
DescriptionThe PHP Xdebug module installed on the remote host is configured in a vulnerable manner and is less than or equal to version 2.5.5.
Therefore, it is vulnerable to a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.
SolutionUpgrade to Xdebug version 2.60 or later. Additionally, the following line may be removed from the Xdebug configuration: