CVE-2022-23046 – This SQL injection vulnerability in phpIPAM v1.... (How to Fix)

Q: What is the severity of CVE-2022-23046?

CVE-2022-23046 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in phpIPAM v1.4.4 allows authenticated admin users to execute arbitrary SQL commands via the 'subnet' parameter in the BGP mapping search functionality. Attackers with admin privileges can potentially access, modify, or delete database contents. Only phpIPAM installations with version 1.4.4 are affected.

📋 TL;DR

This SQL injection vulnerability in phpIPAM v1.4.4 allows authenticated admin users to execute arbitrary SQL commands via the 'subnet' parameter in the BGP mapping search functionality. Attackers with admin privileges can potentially access, modify, or delete database contents. Only phpIPAM installations with version 1.4.4 are affected.

💻 Affected Systems

Products:

phpIPAM

Versions: Version 1.4.4 only

Operating Systems: All platforms running phpIPAM

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated admin user access. The vulnerability exists in the BGP mapping search functionality.

📦 What is this software?

Phpipam by Phpipam

View all CVEs affecting Phpipam →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin user could execute arbitrary SQL commands leading to complete database compromise, data exfiltration, privilege escalation, or system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Admin user could read sensitive data from the database, modify configuration settings, or disrupt network management operations.

🟢

If Mitigated

With proper access controls limiting admin privileges to trusted users only, impact is reduced to authorized users misusing their legitimate access.

🌐 Internet-Facing: MEDIUM - If phpIPAM is exposed to the internet, attackers could exploit this if they obtain admin credentials through other means.

🏢 Internal Only: HIGH - Internal admin users or compromised admin accounts can directly exploit this vulnerability without network restrictions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin credentials. Public proof-of-concept demonstrates SQL injection via the subnet parameter in edit-bgp-mapping-search.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.4.5

Vendor Advisory: https://github.com/phpipam/phpipam/releases/tag/v1.4.5

Restart Required: No

Instructions:

1. Backup your phpIPAM installation and database. 2. Download phpIPAM v1.4.5 from GitHub releases. 3. Replace the vulnerable file app/admin/routing/edit-bgp-mapping-search.php with the patched version. 4. Verify the fix by testing the BGP mapping search functionality.

🔧 Temporary Workarounds

Disable BGP Mapping Search

linux

Temporarily disable the vulnerable BGP mapping search functionality by restricting access to the affected PHP file.

chmod 000 /path/to/phpipam/app/admin/routing/edit-bgp-mapping-search.php

Input Validation Filter

all

Add input validation to sanitize the subnet parameter before processing.

Edit edit-bgp-mapping-search.php to add parameter validation using prepared statements or input filtering

🧯 If You Can't Patch

Restrict admin privileges to only absolutely necessary trusted users
Implement network segmentation to isolate phpIPAM from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check if running phpIPAM version 1.4.4 by examining version files or database settings. Test the BGP mapping search with SQL injection payloads in the subnet parameter.

Check Version:

grep -r 'version.*1\.4\.4' /path/to/phpipam/ || cat /path/to/phpipam/functions/scripts/check.php

Verify Fix Applied:

After patching to v1.4.5, test the BGP mapping search functionality with SQL injection attempts to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by BGP search activity
Admin user performing unexpected BGP mapping searches

Network Indicators:

HTTP POST requests to edit-bgp-mapping-search.php with SQL syntax in parameters
Unusual database connection patterns from phpIPAM server

SIEM Query:

source="web_logs" AND uri="*edit-bgp-mapping-search.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*" OR param="*DELETE*")

📊 Metadata

CVE ID: CVE-2022-23046

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 19, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://fluidattacks.com/advisories/mercury/ Exploit,Third Party Advisory
https://github.com/phpipam/phpipam/releases/tag/v1.4.5 Release Notes,Third Party Advisory
http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://fluidattacks.com/advisories/mercury/ Exploit,Third Party Advisory
https://github.com/phpipam/phpipam/releases/tag/v1.4.5 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23046, you might also want to check these: