Improper Access Control in phpipam/phpipam

Valid

Reported on

Feb 3rd 2022

Description

In phpIPAM 1.4.5, a normal user with the role of User could download or export IP subnets that may contain sensitive information related data such as IP address, IP state, MAC, owner, hostname and device via export-subnet.php endpoint. The bug is the export-subnet.php should verify the user has at least read permission to the subnet it is exporting and it does not.

Proof of Concept

Tested version: phpIPAM 1.4.5

Parameter: subnetId

Steps to reproduce:

1 Login as user with the role of User.

2 Go to http://{HOST}/app/subnets/addresses/export-subnet.php?subnetId=1&ip_addr=on&state=on&description=on&hostname=on&firewallAddressObject=on&mac=on&owner=on&switch=on&port=on&note=on&location=on&filename=phpipam_subnet_export.xls

3 We can export any related subnet data by changing subnetId parameter value with any running number such as 1, 2, 3 and so forth.

Impact

This vulnerability is capable of Improper Access Control and sensitive data exposure of related party.

We are processing your report and will contact the phpipam team within 24 hours. a year ago
We have contacted a member of the phpipam team and are waiting to hear back a year ago
We have sent a follow up to the phpipam team. We will try again in 7 days. a year ago
Faisal Fs ⚔️ modified the report
a year ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. a year ago
phpipam/phpipam maintainer has acknowledged this report a year ago
garyallan modified the report
a year ago
garyallan validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
garyallan marked this as fixed in 1.4.6 with commit f6a49f a year ago
garyallan has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation