CVE-2008-3400

xrms_crm 1.99.2 - Exposure of Sensitive Information via Direct Request to tests/info.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3400. PoCs published by AzzCoder.

AI-analyzed exploit summary This is a technical writeup detailing multiple vulnerabilities in XMRS CRM, including Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and information disclosure via phpinfo(). The RFI vulnerability requires register_globals to be enabled and targets the $include_directory variable in activities/workflow-activities.php.

Description

XRMS CRM 1.99.2 allows remote attackers to obtain configuration information via a direct request to tests/info.php, which calls the phpinfo function.

Exploits (1)

exploitdb WRITEUP VERIFIED

by AzzCoder · textwebappsphp

https://www.exploit-db.com/exploits/6131

View Code ZIP pw:eip

This is a technical writeup detailing multiple vulnerabilities in XMRS CRM, including Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and information disclosure via phpinfo(). The RFI vulnerability requires register_globals to be enabled and targets the $include_directory variable in activities/workflow-activities.php.

Classification

Writeup 90%

Attack Type

Rce | Xss | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: XMRS CRM

No auth needed

Prerequisites: register_globals enabled for RFI

MITRE ATT&CK