phpIPAM is often perceived as a hidden benefit for companies and their employees as many administrators see it as a resource they use throughout their day-to-day work, but it's just another "domain" administer tool that admins keep in the background and usually do not consider for security vulnerabilities. One example of this is CVE-2019-16693, which is worth noting because of these underlying reasons.
According to CVE-2019-16693, there is a vulnerability in phpIPAM version 1.4 that allows for SQL injection via the custom ordering field. Although exploitation of this vulnerability requires an admin account to access the application, it doesn't eliminate the risk associated with this vulnerability because in most cases, attackers can obtain admin access to phpIPAM through phishing scams, weak passwords or lateral movement on the network.
Vulnerability Details
1. Product: phpIPAM
2. Vulnerable Version: 1.4
3. CVE ID: CVE-2019-16693
4. Vulnerability Type: SQL Injection
5. Tested Platform: Windows
6. Detected By: CodeSecLab
This SQL injection vulnerability is based on how phpIPAM internally manages the ordering of custom fields. Essentially, it allows for SQL commands to be processed through user-provided information without being validated first. This means the user can inject malicious SQL commands directly into the database by inputting arbitrary data that phpIPAM accepts and will execute as part of an SQL query.
Proof of Concept (PoC)
The method used for testing the previously mentioned vulnerability was by sending an administrator-level account a maliciously crafted POST request to
/app/admin/custom-fields/order.php
which contains valid values submitted to an undefined table parameter. By passing SQL code directly via the table parameter into a database query, attackers will have the ability to change how to execute the database query, potentially exposing the contents of the database or changing records stored in the database.
To reproduce the vulnerability to use a location-based PHPIPAM service, you must have an authenticated admin user account set up; this creates an additional risk for organizations who have poorly protected their admin credentials, or who have multiple users sharing the same admin account.
To reproduce this vulnerability, follow the procedure below:
1. Sign into the PHPIPAM application with an admin user account.
2. With the aid of a proxy tool (e.g. Burp Suite), intercept the HTTP POST action from the PHPIPAM system.
3. Make the necessary changes to the intercepted POST request by inserting an existing SQL command into the request body.
4. Submit the updated request, and observe how the PHPIPAM system reacts to your addition.
Impact and Risk
While this is not a remote unauthenticated vulnerability, the potential damage caused by this flaw is considerable.
1. Sensitive database information may be revealed.
2. Internal data may be altered or destroyed.
3. The vulnerability could provide the attacker with a way to gain further access to different parts of the network. Internal tools such as PHPIPAM will typically provide access to valuable data for the company’s infrastructure and as such they are frequently targeted once an attacker is already inside the network.
Mitigation Recommendations
1. Patch and upgrade PHPIPAM to the latest version as soon as possible.
2. Restrict administrative access to only admin users who can be verified as trusted.
3. Track the actions of admin users for abnormal or unexpected behaviour.
4. Treat all internal applications as highly valuable business assets, not as "low risk" or "non-critical" tools.
Source: Exploit DB
