CVE-2024-10721
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in phpipam/phpipam version 1.5.2 allows attackers to inject malicious scripts into the circuits options page. When other users view the affected page, these scripts execute in their browser context, potentially leading to session hijacking or unauthorized actions. This affects all users of vulnerable phpipam installations.
💻 Affected Systems
- phpipam/phpipam
📦 What is this software?
Phpipam by Phpipam
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the IPAM system, modify network configurations, and potentially pivot to other systems.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access sensitive network information, or redirect users to phishing sites.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.
🎯 Exploit Status
Exploitation requires authenticated access to inject scripts, but the payload executes when any user views the affected page. Public proof-of-concept exists on huntr.com.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731
Restart Required: No
Instructions:
1. Backup your phpipam database and configuration files. 2. Download phpipam version 1.7.0 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Run any database upgrade scripts if required. 5. Verify the circuits options page functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize user input in the circuits options page.
Modify /tools/circuits/options/ PHP files to add htmlspecialchars() or similar sanitization functions around user-controlled inputs
Content Security Policy
allImplement a strict Content Security Policy header to prevent script execution from untrusted sources.
Add header("Content-Security-Policy: default-src 'self'; script-src 'self';") to PHP configuration
🧯 If You Can't Patch
- Restrict access to the circuits options page to only trusted administrators using web server access controls.
- Implement a web application firewall (WAF) with XSS protection rules to filter malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check if your phpipam version is 1.5.2 or earlier by examining the version file or admin interface. Test if unsanitized HTML input in the circuits options page persists and executes.Check Version:
grep -r "define('VERSION'" /path/to/phpipam/ or check the admin dashboardVerify Fix Applied:
After upgrading to 1.7.0, attempt to inject a simple XSS payload (like <script>alert('test')</script>) into the circuits options page and verify it doesn't execute when viewing the page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /tools/circuits/options/ with script tags or JavaScript code
- Multiple failed login attempts followed by successful access to circuits page
Network Indicators:
- HTTP requests containing suspicious script payloads in URL parameters or POST data
SIEM Query:
source="web_server_logs" AND (url_path="/tools/circuits/options/" AND (message="*<script>*" OR message="*javascript:*"))