phpIPAM 1.4.4 - Stored XSS

Summary

NamephpIPAM 1.4.4 - Stored XSS
Code nameOsbourne
ProductphpIPAM
Affected versions1.4.4
Fixed versions1.4.5
StatePublic
Release date2022-01-18

Vulnerability

KindStored cross-site scripting (XSS)
Rule010. Stored cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score4.8
Exploit availableNo
CVE ID(s)CVE-2022-23045

Description

phpIPAM v1.4.4 allows an authenticated admin user to inject persistent javascript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.

Proof of Concept

Steps to reproduce:

XSS:

  1. Go to "http://192.168.1.5/phpipam/index.php?page=administration&section=settings".
  2. Update the "Site Title" parameter with " autofocus onfocus=alert(1)>.
  3. Click on 'Save'.
  4. If a user visits the settings page the javascript code will be rendered.

Open redirect:

  1. Go to "http://192.168.1.5/phpipam/index.php?page=administration&section=settings".
  2. Update the "Site Title" parameter with 0;url=https://google.com" http-equiv="refresh".
  3. Click on 'Save'.
  4. If a user reloads the page, they will be redirected to https://google.com.

System Information

  • Version: phpIPAM IP address management v1.4.4.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of phpIPAM is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://phpipam.net/

Patched version https://github.com/phpipam/phpipam/releases/tag/v1.4.5

Timeline

Time-lapse-logo

2022-01-06

Vulnerability discovered.

Time-lapse-logo

2022-01-07

Vendor contacted.

Time-lapse-logo

2022-01-07

Vendor replied acknowledging the report.

Time-lapse-logo

2022-01-17

Vulnerability patched.

Time-lapse-logo

2022-01-18

Public Disclosure.