Ricter Zheng

2 exploits Active since Jul 2025
CVE-2015-10141 EXPLOITDB CRITICAL ruby WORKING POC
Xdebug < 2.5.5 - Unauthenticated OS Command Injection via Remote Debugger Interface
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
CVE-2015-10141 METASPLOIT CRITICAL ruby WORKING POC
Xdebug < 2.5.5 - Unauthenticated OS Command Injection via Remote Debugger Interface
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.