Improper Access Control in phpipam/phpipam
Feb 3rd 2022
In phpIPAM 1.4.5, a normal user with the role of
User could download or export IP subnets that may contain sensitive information related data such as IP address, IP state, MAC, owner, hostname and device via export-subnet.php endpoint. The bug is the export-subnet.php should verify the user has at least read permission to the subnet it is exporting and it does not.
Proof of Concept
Tested version: phpIPAM 1.4.5
Steps to reproduce:
1 Login as user with the role of User.
2 Go to
3 We can export any related subnet data by changing subnetId parameter value with any running number such as 1, 2, 3 and so forth.
This vulnerability is capable of Improper Access Control and sensitive data exposure of related party.