CVE-2024-41357
📋 TL;DR
CVE-2024-41357 is a cross-site scripting (XSS) vulnerability in phpipam 1.6 that allows attackers to inject malicious scripts via the /app/admin/powerDNS/record-edit.php endpoint. This affects administrators and users with access to the phpipam web interface. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions.
💻 Affected Systems
- phpipam
📦 What is this software?
Phpipam by Phpipam
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to phpipam, manipulate DNS records, pivot to internal networks, and compromise the entire infrastructure.
Likely Case
Attackers hijack user sessions, steal credentials, perform unauthorized DNS modifications, and potentially deploy malware through the compromised interface.
If Mitigated
Limited impact due to proper input validation, output encoding, and Content Security Policy (CSP) headers preventing script execution.
🎯 Exploit Status
Exploitation requires authenticated access to the powerDNS record-edit functionality. Public proof-of-concept demonstrates the injection vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1 or later
Vendor Advisory: https://github.com/phpipam/phpipam/issues/4149
Restart Required: No
Instructions:
1. Backup your phpipam installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable file /app/admin/powerDNS/record-edit.php with the patched version. 4. Verify the fix by testing the affected endpoint.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation and output encoding for user-supplied data in the record-edit.php file.
# Manual code modification required - add htmlspecialchars() or equivalent around user inputs in PHP code
Disable PowerDNS Module
linuxTemporarily disable the powerDNS module if not required.
# Rename or remove the powerDNS directory: mv /path/to/phpipam/app/admin/powerDNS /path/to/phpipam/app/admin/powerDNS_disabled
🧯 If You Can't Patch
- Restrict access to the phpipam admin interface using network segmentation and firewall rules.
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check if your phpipam version is 1.6 and the file /app/admin/powerDNS/record-edit.php exists without proper input sanitization.Check Version:
grep -r "define('VERSION'" /path/to/phpipam/ | head -1Verify Fix Applied:
Test the /app/admin/powerDNS/record-edit.php endpoint with a harmless XSS payload (e.g., <script>alert('test')</script>) and verify it's properly encoded in the output.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /app/admin/powerDNS/record-edit.php with script tags or JavaScript payloads in parameters.
- Multiple failed login attempts followed by successful access to the powerDNS module.
Network Indicators:
- HTTP traffic containing malicious script injections in request parameters to the vulnerable endpoint.
SIEM Query:
source="web_logs" AND uri="/app/admin/powerDNS/record-edit.php" AND (param="*<script>*" OR param="*javascript:*")