Exploit discovered in phpIPAM IP management software

phpIPAM is a popular open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.

A vulnerability in phpIPAM version 1.3.2 and earlier was found that contains a Cross Site Scripting (XSS) exploit in the subnet-scan-telnet.php that can result in executing code in victims browser.

This vulnerability is assigned CVE-2019-1000010 and was published on 02/04/2019. The attack can be launched remotely. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available.

Upgrading phpIPAM

This vulnerability is confirmed to have been fixed in version 1.4 and it is recommended that you upgrade to the latest version as soon as possible.

To upgrade phpIPAM to the latest version you can extract the new code and copy over the old config.php file.

[root@ipam /]# cd /var/www/phpipam
[root@ipam /var/www/phpipam]# tar -xvf phpipam-1.3.2.tar
[root@ipam /var/www/phpipam]# cp /backup/location/config.php /var/www

In case you use Git you can use the following steps to upgrade:

root@ipam /]# cd /var/www/phpipam
root@ipam /var/www/phpipam]# git pull
root@ipam /var/www/phpipam]# git checkout -b 1.3 origin/1.3
root@ipam /var/www/phpipam]# git submodule update --init --recursive

Website: https://phpipam.net/


Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.