Incorrect Privilege Assignment in phpipam/phpipam


Reported on

Feb 4th 2022


The phpIPAM 1.4.5 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor in the Import/Export feature. A normal user with the role of User could download XLS file of IP addresses, hostfile dump and export system database that contains sensitive information via generate-xls.php, generate-hosts.php and generate-mysql.php endpoints respectively. It is supposedly accessible by the Administrator only for such administrative operations.

Proof of Concept

Tested version: phpIPAM 1.4.5


Affected endpoints:

1 GET http://{HOST}/app/admin/import-export/generate-xls.php

2 GET http://{HOST}/app/admin/import-export/generate-mysql.php

3 GET http://{HOST}/app/admin/import-export/generate-hosts.php


Steps to reproduce:

1 Go to affected endpoints mentioned above.

2 Login as a user with the role of User.

3 We can export XLS files of IP addresses, MySQL database dump and the hostfile dump.


This vulnerability is capable of fully compromising the system database, revealing sensitive information of relevant parties.

We are processing your report and will contact the phpipam team within 24 hours. 2 years ago
We have contacted a member of the phpipam team and are waiting to hear back 2 years ago
We have sent a follow up to the phpipam team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. 2 years ago
phpipam/phpipam maintainer has acknowledged this report a year ago
garyallan modified the report
a year ago
garyallan validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
garyallan marked this as fixed in 1.4.6 with commit f6a49f a year ago
garyallan has been awarded the fix bounty
This vulnerability will not receive a CVE
generate-mysql.php#L14-L18 has been validated
generate-xls.php#L13-L22 has been validated
generate-hosts.php#L15-L24 has been validated
to join this conversation