Improper Authorization in phpipam/phpipam

Valid

Reported on

Feb 3rd 2022


Description

In phpIPAM 1.4.5, a normal user with the role of Usercould view/read the log files via show-logs.php, error_logs.php and access_logs.php endpoints. It is supposedly accessible by the Administrator only.

Proof of Concept

Tested version: phpIPAM 1.4.5

_

Affected endpoints:

1 GET/POST http://{HOST}/app/tools/logs/show-logs.php

2 POST http://{HOST}/app/dashboard/widgets/error_logs.php

3 POST http://{HOST}/app/dashboard/widgets/access_logs.php

_

Steps to reproduce:

1 Go to http://{HOST}/app/tools/logs/show-logs.php

2 Login as a user with the role of User.

3 We can read the log files detailing username, IP address, event, severity and date.

_

Impact

This vulnerability is capable of revealing sensitive data exposure of relevant parties such as username, IP address, event, severity and date. Since the normal user can view/collect relevant usernames, he/she could conduct a dictionary/brute-force attack on the login page to authenticate with. He/she could also know the origin IP address of the admin to further the attack.

We are processing your report and will contact the phpipam team within 24 hours. 4 months ago
Faisal Fs modified the report
4 months ago
Faisal Fs modified the report
4 months ago
Faisal Fs modified the report
4 months ago
We have contacted a member of the phpipam team and are waiting to hear back 4 months ago
We have sent a follow up to the phpipam team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. 3 months ago
phpipam/phpipam maintainer has acknowledged this report 2 months ago
garyallan modified the report
2 months ago
garyallan validated this vulnerability 2 months ago
Faisal Fs has been awarded the disclosure bounty
The fix bounty is now up for grabs
garyallan confirmed that a fix has been merged on f6a49f 2 months ago
garyallan has been awarded the fix bounty
error_logs.php#L8-L15 has been validated
show-logs.php#L15-L21 has been validated
access_logs.php#L8-L15 has been validated
to join this conversation