The phpIPAM 1.4.5 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor in the Import/Export feature. A normal user with the role of User
could download XLS file of IP addresses, hostfile dump and export system database that contains sensitive information via generate-xls.php, generate-hosts.php and generate-mysql.php endpoints respectively. It is supposedly accessible by the Administrator only for such administrative operations.
_
1 GET http://{HOST}/app/admin/import-export/generate-xls.php
2 GET http://{HOST}/app/admin/import-export/generate-mysql.php
3 GET http://{HOST}/app/admin/import-export/generate-hosts.php
_
1 Go to affected endpoints mentioned above.
2 Login as a user with the role of User
.
3 We can export XLS files of IP addresses, MySQL database dump and the hostfile dump.
This vulnerability is capable of fully compromising the system database, revealing sensitive information of relevant parties.