id: CVE-2015-10141 info: name: Xdebug <= 2.5.5 - Command Injection author: pwnhxl severity: critical description: | Xdebug <= 2.5.5 contains an unauthenticated command injection caused by accepting debugger protocol commands without authentication when remote debugging is enabled, letting remote attackers execute arbitrary PHP code and system commands, exploit requires remote debugging enabled. impact: | Attackers can execute arbitrary PHP code and system commands remotely without authentication, leading to complete server compromise. remediation: | Disable remote debugging in production environments or upgrade to Xdebug version 2.6.0 or later with proper authentication controls. reference: - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/ - https://paper.seebug.org/397/ - https://github.com/D3Ext/XDEBUG-Exploit - https://www.exploit-db.com/exploits/44568 - https://www.vulncheck.com/advisories/xdebug-remote-debugger-unauth-os-command-execution classification: cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N cve-id: CVE-2015-10141 cwe-id: CWE-78 epss-score: 0.65707 epss-percentile: 0.98529 metadata: verified: true max-request: 1 tags: cve,cve2015,oast,rce,vulhub,php,debug,xdebug,intrusive,vuln http: - raw: - | GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1 Host: {{Hostname}} X-Forwarded-For: {{interactsh-url}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: header words: - 'Set-Cookie: XDEBUG_SESSION={{randstr}}' - type: status status: - 200 # digest: 4a0a004730450221009a9887711486d3b4a99da91913e857d8c023b15dcdae8a47a2076f99c09acd740220045ff2e2dd71de7498015e1cd9514cefd6bc94d3e41423e7a8e707f2a4666eb9:922c64590222798bb761d5b6d8e72950