phpIPAM 1.4.4 - SQL Injection
Summary
| Name | phpIPAM 1.4.4 - SQL Injection |
| Code name | |
| Product | phpIPAM |
| Affected versions | 1.4.4 |
| Fixed Versions | 1.4.5 |
| State | Public |
| Release date | 2022-01-18 |
Vulnerability
| Kind | SQL injection |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| CVSSv3.1 Base Score | 4.7 |
| Exploit available | No |
| CVE ID(s) |
Description
phpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php.
Proof of Concept
Steps to reproduce
- Go to settings and enable the routing module.
- Go to show routing.
- Click on "Add peer" and create a new "BGP peer".
- Click on the newly created "BGP peer".
- Click on "Actions" and go to "Subnet Mapping".
- Scroll down to "Map new subnet".
- Insert an SQL Injection sentence inside the search parameter, for example:
" union select @@version,2,user(),4 -- -.
System Information
- Version: phpIPAM IP address management v1.4.4.
- Operating System: Linux.
- Web Server: Apache
- PHP Version: 7.4
- Database and version: Mysql
Exploit
An exploit developed for another researcher can be found at ExploitDB.
Mitigation
An updated version of phpIPAM is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page https://phpipam.net/
Patched version https://github.com/phpipam/phpipam/releases/tag/v1.4.5
Timeline
2022-01-06
Vulnerability discovered.
2022-01-07
Vendor contacted.
2022-01-07
Vendor replied acknowledging the report.
2022-01-17
Vulnerability patched.
2022-01-18
Public Disclosure.
