phpIPAM 1.4 suffers from a SQL Injection vulnerability identified as CVE-2019-16693, located in the /app/admin/custom-fields/order.php endpoint. The root cause is insufficient sanitization of the 'table' parameter in POST requests, which allows an authenticated attacker with valid administrative credentials to inject arbitrary SQL commands into the backend database. The provided proof-of-concept exploit demonstrates a UNION-based SQL Injection attack, where a specially crafted POST request containing malicious SQL payloads is sent while authenticated as an admin user with a valid PHPSESSID session cookie. This flaw enables attackers to read, modify, or delete database records, potentially compromising the confidentiality and integrity of IP address management data stored in phpIPAM. The attack requires prior authentication, limiting the attack surface but not eliminating risk, especially if credentials are compromised or sessions hijacked. No official patches are linked in the provided data, but the vulnerability is documented with exploit code on Exploit-DB. The exploit code is a text-based HTTP POST request targeting the vulnerable endpoint with SQL Injection payloads. Organizations relying on phpIPAM 1.4 for network infrastructure management should prioritize mitigation to prevent unauthorized data access or manipulation.

For European organizations, this vulnerability threatens the confidentiality and integrity of critical network infrastructure data managed by phpIPAM. Successful exploitation could expose sensitive IP address allocations, network topology, and configuration data, leading to potential misconfigurations, denial of service, or unauthorized network access. This could disrupt network operations and facilitate lateral movement by attackers within corporate or governmental networks. The requirement for admin credentials reduces the likelihood of exploitation but does not eliminate it, especially in environments where credential theft or session hijacking is feasible. Sectors such as telecommunications, finance, government, and critical infrastructure operators are particularly vulnerable due to their reliance on accurate IP address management and network configuration data. Without timely mitigation, attackers could gain persistent access or disrupt network management processes, impacting operational continuity and data security.

1. Upgrade phpIPAM to the latest available version where this SQL Injection vulnerability is patched. If no official patch exists, consider applying community patches or backporting fixes from newer releases. 2. Implement strict input validation and use parameterized queries or prepared statements in the affected code to prevent SQL Injection attacks. 3. Restrict administrative access to phpIPAM to trusted internal networks and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Monitor web server and application logs for unusual POST requests to /app/admin/custom-fields/order.php, especially those containing SQL keywords like UNION or suspicious parameter values. 5. Deploy web application firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting phpIPAM endpoints. 6. Regularly audit active user sessions and invalidate stale or suspicious sessions to mitigate session hijacking risks. 7. Conduct security awareness training for administrators to recognize phishing and social engineering attacks that could lead to credential theft. 8. Where possible, isolate phpIPAM servers from public internet exposure, limiting access to internal networks only to reduce attack surface.