Skip to content
Nuclei Templates

PHPIPAM <v1.5.1 - Missing Authorization

ID: CVE-2023-0678

Severity: medium

Author: princechaddha,ritikchaddha

Tags: cve,cve2023,php,phpipam,unauth

Description

Section titled “Description”

In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via find_full_subnets.php endpoint. The bug lies in the fact that find_full_subnets.php does not verify if the user is authorized to access the data, and if the script was started from a command line.

YAML Source

Section titled “YAML Source”
id: CVE-2023-0678


info:
  name: PHPIPAM <v1.5.1 - Missing Authorization
  author: princechaddha,ritikchaddha
  severity: medium
  description: |
    In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via find_full_subnets.php endpoint. The bug lies in the fact that find_full_subnets.php does not verify if the user is authorized to access the data, and if the script was started from a command line.
  reference:
    - https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-0678
    cwe-id: CWE-862
    epss-score: 0.02274
    epss-percentile: 0.8962
    cpe: cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: phpipam
    product: phpipam
    shodan-query:
      - "html:\"phpIPAM IP address management\""
      - http.html:"phpipam ip address management"
    fofa-query: "body=\"phpipam ip address management\""
  tags: cve,cve2023,php,phpipam,unauth


http:
  - method: GET
    path:
      - "{{BaseURL}}/functions/scripts/find_full_subnets.php"


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "Array", "[subnet]", "[description]")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502201b0dc18afa7fc41f90af8efd0498d8ff30c2d1598044cdc4bc8356faf05be5ed022100b7acad33c6c4ce60d931d75de8878ab30b335d305d9b9354a145fe447f1e67ff:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-0678.yaml"

View on Github