phpIPAM 1.4.4 - SQL Injection
4,7
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
phpIPAM 1.4.4 - SQL Injection
Code name
State
Public
Release date
18 de jan. de 2022
Affected product
phpIPAM
Affected version(s)
1.4.4
Fixed version(s)
1.4.5
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CVSS v3.1 base score
4.7
Exploit available
No
CVE ID(s)
Description
phpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php.
Proof of Concept
Steps to reproduce
Go to settings and enable the routing module.
Go to show routing.
Click on "Add peer" and create a new "BGP peer".
Click on the newly created "BGP peer".
Click on "Actions" and go to "Subnet Mapping".
Scroll down to "Map new subnet".
Insert an SQL Injection sentence inside the search parameter, for example:
" union select @@version,2,user(),4 -- -.
System Information
Version: phpIPAM IP address management v1.4.4.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Exploit
An exploit developed for another researcher can be found at ExploitDB.
Mitigation
An updated version of phpIPAM is available at the vendor page.
References
Vendor page https://phpipam.net/
Patched version https://github.com/phpipam/phpipam/releases/tag/v1.4.5
Timeline
Vulnerability discovered
6 de jan. de 2022
Vendor contacted
7 de jan. de 2022
Vendor replied
7 de jan. de 2022
Vulnerability patched
17 de jan. de 2022
Public disclosure
18 de jan. de 2022
