phpIPAM 1.4.4 - SQL Injection

Summary

NamephpIPAM 1.4.4 - SQL Injection
Code nameMercury
ProductphpIPAM
Affected versions1.4.4
Fixed versions1.4.5
StatePublic
Release date2022-01-18

Vulnerability

KindSQL injection
Rule146. SQL injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CVSSv3 Base Score4.7
Exploit availableNo
CVE ID(s)CVE-2022-23046

Description

phpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php.

Proof of Concept

Steps to reproduce

  1. Go to settings and enable the routing module.
  2. Go to show routing.
  3. Click on "Add peer" and create a new "BGP peer".
  4. Click on the newly created "BGP peer".
  5. Click on "Actions" and go to "Subnet Mapping".
  6. Scroll down to "Map new subnet".
  7. Insert an SQL Injection sentence inside the search parameter, for example: " union select @@version,2,user(),4 -- -.

System Information

  • Version: phpIPAM IP address management v1.4.4.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

An exploit developed for another researcher can be found at ExploitDB.

Mitigation

An updated version of phpIPAM is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://phpipam.net/

Patched version https://github.com/phpipam/phpipam/releases/tag/v1.4.5

Timeline

Time-lapse-logo

2022-01-06

Vulnerability discovered.

Time-lapse-logo

2022-01-07

Vendor contacted.

Time-lapse-logo

2022-01-07

Vendor replied acknowledging the report.

Time-lapse-logo

2022-01-17

Vulnerability patched.

Time-lapse-logo

2022-01-18

Public Disclosure.