Improper Authorization in phpipam/phpipam

Valid

Reported on

Feb 3rd 2022

Description

In phpIPAM 1.4.5, a normal user with the role of Usercould view/read the log files via show-logs.php, error_logs.php and access_logs.php endpoints. It is supposedly accessible by the Administrator only.

Proof of Concept

Tested version: phpIPAM 1.4.5

Affected endpoints:

1 GET/POST http://{HOST}/app/tools/logs/show-logs.php

2 POST http://{HOST}/app/dashboard/widgets/error_logs.php

3 POST http://{HOST}/app/dashboard/widgets/access_logs.php

Steps to reproduce:

1 Go to http://{HOST}/app/tools/logs/show-logs.php

2 Login as a user with the role of User.

3 We can read the log files detailing username, IP address, event, severity and date.

Impact

This vulnerability is capable of revealing sensitive data exposure of relevant parties such as username, IP address, event, severity and date. Since the normal user can view/collect relevant usernames, he/she could conduct a dictionary/brute-force attack on the login page to authenticate with. He/she could also know the origin IP address of the admin to further the attack.

Occurrences

access_logs.php L8-L15

error_logs.php L8-L15

show-logs.php L15-L21

We are processing your report and will contact the phpipam team within 24 hours. a year ago

Faisal Fs ⚔️ modified the report

a year ago

Faisal Fs ⚔️ modified the report

a year ago

Faisal Fs ⚔️ modified the report

a year ago

We have contacted a member of the phpipam team and are waiting to hear back a year ago

We have sent a follow up to the phpipam team. We will try again in 7 days. a year ago

We have sent a second follow up to the phpipam team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the phpipam team. This report is now considered stale. a year ago

A phpipam/phpipam maintainer has acknowledged this report a year ago

garyallan modified the report

a year ago

garyallan validated this vulnerability a year ago

Faisal Fs ⚔️ has been awarded the disclosure bounty

The fix bounty is now up for grabs

garyallan marked this as fixed in 1.4.6 with commit f6a49f a year ago

garyallan has been awarded the fix bounty

This vulnerability will not receive a CVE

error_logs.php#L8-L15 has been validated

show-logs.php#L15-L21 has been validated

access_logs.php#L8-L15 has been validated

to join this conversation

We are processing your report and will contact the phpipam team within 24 hours. a year ago

Faisal Fs ⚔️ modified the report

a year ago

Faisal Fs ⚔️ modified the report

a year ago

Faisal Fs ⚔️ modified the report

a year ago

We have contacted a member of the phpipam team and are waiting to hear back a year ago

We have sent a follow up to the phpipam team. We will try again in 7 days. a year ago

We have sent a second follow up to the phpipam team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the phpipam team. This report is now considered stale. a year ago

A phpipam/phpipam maintainer has acknowledged this report a year ago

garyallan modified the report

a year ago

garyallan validated this vulnerability a year ago

Faisal Fs ⚔️ has been awarded the disclosure bounty

The fix bounty is now up for grabs

garyallan marked this as fixed in 1.4.6 with commit f6a49f a year ago

garyallan has been awarded the fix bounty

This vulnerability will not receive a CVE

error_logs.php#L8-L15 has been validated

show-logs.php#L15-L21 has been validated

access_logs.php#L8-L15 has been validated

to join this conversation