phpIPAM 1.4 - SQL-Injection
phpIPAM 1.4 - SQL-Injection
AI Analysis
Technical Summary
phpIPAM 1.4 suffers from an SQL Injection vulnerability (CVE-2019-16693) located in the /app/admin/custom-fields/order.php endpoint. The vulnerability arises because the 'table' parameter in the POST request is not properly sanitized, allowing an attacker with valid admin credentials to inject arbitrary SQL commands. The proof-of-concept exploit demonstrates a UNION-based SQL injection that can be executed by sending a specially crafted POST request containing malicious SQL payloads while authenticated as an admin user. This flaw enables attackers to read, modify, or delete database records, potentially compromising the confidentiality and integrity of the IP address management data stored in phpIPAM. The exploit requires a valid session cookie (PHPSESSID) and admin privileges, meaning the attacker must first obtain legitimate credentials or hijack a session. The vulnerability is medium severity due to the authentication requirement and lack of known active exploitation, but the impact on network management data can be significant. No official patch links are provided in the data, but the issue is documented on Exploit-DB with detailed exploit code. Organizations using phpIPAM 1.4 should consider immediate mitigation steps to prevent exploitation.
Potential Impact
For European organizations, this vulnerability poses a risk to the confidentiality and integrity of network infrastructure data managed by phpIPAM. Successful exploitation could allow attackers to extract sensitive IP address allocations, network topology information, or modify configuration data, potentially disrupting network operations or enabling further lateral attacks. Given phpIPAM's role in IP address management, compromised data could lead to misconfigurations, denial of service, or unauthorized network access. The requirement for admin credentials limits the attack surface but does not eliminate risk, especially if credential theft or session hijacking occurs. Organizations in sectors with critical network infrastructure, such as telecommunications, finance, and government, are particularly at risk. The medium severity rating reflects the balance between the need for authentication and the potential damage from database compromise. Without timely mitigation, attackers could leverage this vulnerability to gain persistent access or disrupt network management processes.
Mitigation Recommendations
1. Upgrade phpIPAM to the latest version where this SQL Injection vulnerability is patched. If an official patch is unavailable, consider applying community patches or backporting fixes from newer versions. 2. Implement strict input validation and use parameterized queries or prepared statements in the affected code to prevent SQL Injection. 3. Restrict admin access to phpIPAM to trusted networks and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Monitor web server and application logs for unusual POST requests to /app/admin/custom-fields/order.php, especially those containing suspicious SQL syntax or UNION statements. 5. Employ web application firewalls (WAFs) with rules to detect and block SQL Injection attempts targeting phpIPAM endpoints. 6. Regularly audit user sessions and invalidate stale or suspicious sessions to prevent session hijacking. 7. Conduct security awareness training for administrators to recognize phishing or social engineering attempts that could lead to credential theft. 8. Isolate phpIPAM servers from public internet exposure where possible, limiting access to internal networks only.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
Indicators of Compromise
- exploit-code: # Exploit Title: phpIPAM 1.4 - SQL Injection # Date: 2025-11-25 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/phpipam/phpipam/ # Software Link: https://github.com/phpipam/phpipam/ # Version: 1.4 # Tested on: Windows # CVE : CVE-2019-16693 Proof Of Concept # Ensure you have a valid user session before executing the PoC. POST /app/admin/custom-fields/order.php HTTP/1.1 Host: phpipam Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=<valid_session_id> table=test_table%60+UNION+SELECT+1%2C2%2C3+--+¤t=non-empty&next=non-empty&action=add Steps to Reproduce 1. Login as an admin user. 2. Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie. 3. Observe the result
phpIPAM 1.4 - SQL-Injection
Description
phpIPAM 1.4 - SQL-Injection
AI-Powered Analysis
Technical Analysis
phpIPAM 1.4 suffers from an SQL Injection vulnerability (CVE-2019-16693) located in the /app/admin/custom-fields/order.php endpoint. The vulnerability arises because the 'table' parameter in the POST request is not properly sanitized, allowing an attacker with valid admin credentials to inject arbitrary SQL commands. The proof-of-concept exploit demonstrates a UNION-based SQL injection that can be executed by sending a specially crafted POST request containing malicious SQL payloads while authenticated as an admin user. This flaw enables attackers to read, modify, or delete database records, potentially compromising the confidentiality and integrity of the IP address management data stored in phpIPAM. The exploit requires a valid session cookie (PHPSESSID) and admin privileges, meaning the attacker must first obtain legitimate credentials or hijack a session. The vulnerability is medium severity due to the authentication requirement and lack of known active exploitation, but the impact on network management data can be significant. No official patch links are provided in the data, but the issue is documented on Exploit-DB with detailed exploit code. Organizations using phpIPAM 1.4 should consider immediate mitigation steps to prevent exploitation.
Potential Impact
For European organizations, this vulnerability poses a risk to the confidentiality and integrity of network infrastructure data managed by phpIPAM. Successful exploitation could allow attackers to extract sensitive IP address allocations, network topology information, or modify configuration data, potentially disrupting network operations or enabling further lateral attacks. Given phpIPAM's role in IP address management, compromised data could lead to misconfigurations, denial of service, or unauthorized network access. The requirement for admin credentials limits the attack surface but does not eliminate risk, especially if credential theft or session hijacking occurs. Organizations in sectors with critical network infrastructure, such as telecommunications, finance, and government, are particularly at risk. The medium severity rating reflects the balance between the need for authentication and the potential damage from database compromise. Without timely mitigation, attackers could leverage this vulnerability to gain persistent access or disrupt network management processes.
Mitigation Recommendations
1. Upgrade phpIPAM to the latest version where this SQL Injection vulnerability is patched. If an official patch is unavailable, consider applying community patches or backporting fixes from newer versions. 2. Implement strict input validation and use parameterized queries or prepared statements in the affected code to prevent SQL Injection. 3. Restrict admin access to phpIPAM to trusted networks and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Monitor web server and application logs for unusual POST requests to /app/admin/custom-fields/order.php, especially those containing suspicious SQL syntax or UNION statements. 5. Employ web application firewalls (WAFs) with rules to detect and block SQL Injection attempts targeting phpIPAM endpoints. 6. Regularly audit user sessions and invalidate stale or suspicious sessions to prevent session hijacking. 7. Conduct security awareness training for administrators to recognize phishing or social engineering attempts that could lead to credential theft. 8. Isolate phpIPAM servers from public internet exposure where possible, limiting access to internal networks only.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52453
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for phpIPAM 1.4 - SQL-Injection
# Exploit Title: phpIPAM 1.4 - SQL Injection # Date: 2025-11-25 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/phpipam/phpipam/ # Software Link: https://github.com/phpipam/phpipam/ # Version: 1.4 # Tested on: Windows # CVE : CVE-2019-16693 Proof Of Concept # Ensure you have a valid user session before executing the PoC. POST /app/admin/custom-fields/order.php HTTP/1.1 Host: phpipam Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=<valid_session_id> table... (285 more characters)
Threat ID: 6930038e7fb5593475c25cf2
Added to database: 12/3/2025, 9:31:58 AM
Last enriched: 12/3/2025, 9:32:34 AM
Last updated: 12/5/2025, 6:18:36 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
5 Threats That Reshaped Web Security This Year [2025]
MediumRecord 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts
MediumMicrosoft Silently Patches Windows LNK Flaw After Years of Active Exploitation
HighAttempts to Bypass CDNs, (Wed, Dec 3rd)
MediumDjango 5.1.13 - SQL Injection
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.