2

I have a VPS account on which I set up a Linux server to host some customer websites, and to upload "previews" of websites before publishing them to the production server.

I develop the websites on my own machine (Windows) and do most of the testing there. Because of the difference in platform, sometimes problems appear on the Linux host, and I could use a debugging interface on that...

My question is how safe is it to have xdebug on a remote public server which would also be used for hosting production websites? Is it possible? Recommended? What do you think?

Thanks...

Rolf
  • 5,550
  • 5
  • 41
  • 61

2 Answers2

5

xdebug is perfectly safe on a remote instance as long as you set the xdebug.remote_host variable. Otherwise it is a MAJOR secuirty problem because it would allow the attacker to view any variable in memory during runtime. It could be used to obtain your mysql login or any other secret variables you may have.

edit: A VPN is a good solution to keep leaking sensitive data over the net in plain text.

rook
  • 66,304
  • 38
  • 162
  • 239
  • 1
    That might be true if you had a way of preventing IP traffic to the remote_host (which is probably completely unencrypted) from being intercepted (eavesdropped on). But there is no such guarantee on the Internet in general, only if you've gone through special effort to set up e.g., VPNs. – derobert Oct 24 '11 at 20:48
  • Actually, the authentication parts of SO are not plain text; they run over HTTPS. The plaintext parts are largely public anyway. But considering what XDebug exposes (everything, including passwords), running that over an insecure transport is quite dangerous. Considering you can also *change* variables (and if you can sniff the connection, you can inject your own commands as well by spoofing packets), you essentially have full control over the site. Sometimes you can even inject packets without sniffing... – derobert Oct 24 '11 at 21:07
  • You are correct about SO w/r/t session hijacking, and yeah, they should fix that. – derobert Oct 24 '11 at 21:23
4

XDebug is possible, but not recommended on production, as it can slow your application. You should think the other way round and use linux as a development machine. If you can't (or don't want) to switch to Linux you can stay on Windows and use a virtual machine as a linux development server. If you do, try to be as close as you can as the production environment : same linux distribution, same version of php.

I work on linux and so does everyone in my firm, and the recommended solution in my firm is LXC, a very light virtualization solution. By light I mean it won't take ages to refresh your working tree in your IDE, because you don't have to mount the working tree on the host: the guest filesystem is a subtree of the host filesystem. This way, I still can have an up-to-date fedora linux for my desktop, and develop on a debian with php 5.2 if I need to (and I need to). The thing is, when the virtual machine is configured for a given project, I can archive it and send it to a colleague that joins the project. This makes starting projects easier for newcomers.

Community
  • 1
  • 1
greg0ire
  • 22,714
  • 16
  • 72
  • 101
  • +1 for virtualization. Just create a separate (virtual) Linux development environment that closely resembles the configuration of the production server. – GolezTrol Oct 24 '11 at 20:50
  • That's what I'm doing right now, it's just that in some rare cases, problems which are specific to the production server appear on deployment, and I was looking for a straightforward way to solve them. – Rolf May 11 '13 at 01:46