Description

The phpIPAM 1.4.5 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor in the Import/Export feature. A normal user with the role of User could download XLS file of IP addresses, hostfile dump and export system database that contains sensitive information via generate-xls.php, generate-hosts.php and generate-mysql.php endpoints respectively. It is supposedly accessible by the Administrator only for such administrative operations.

Proof of Concept

Tested version: phpIPAM 1.4.5

_

Affected endpoints:

1 GET http://{HOST}/app/admin/import-export/generate-xls.php

2 GET http://{HOST}/app/admin/import-export/generate-mysql.php

3 GET http://{HOST}/app/admin/import-export/generate-hosts.php

_

Steps to reproduce:

1 Go to affected endpoints mentioned above.

2 Login as a user with the role of User.

3 We can export XLS files of IP addresses, MySQL database dump and the hostfile dump.

Impact

This vulnerability is capable of fully compromising the system database, revealing sensitive information of relevant parties.