Headline
CVE-2022-41443: Header injection (SSRF) vulnerability in phpipam
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
<?php //In file https://github.com/phpipam/phpipam/blob/master/app/admin/subnets/ripe-query.php //line 21 // the source is $_POST[‘subnet’] $res = $Subnets->resolve_ripe_arin ($_POST[‘subnet’]);
//In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php //line 3523 public function resolve_ripe_arin ($subnet) { // … // Note: We can bypass the check by choosing the value in this format // [the correct value for $subnet_check][.][injection value] //so reset will take the first value of tje explode and the condition will be true // take only first bit of ip address to match /8 delegations $subnet_check = reset(explode(".", $subnet)); // ripe or arin? if (in_array($subnet_check, $this->ripe)){ // the injection in $subnet return $this->query_ripe ($subnet); } //… }
// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php // line 3545 private function query_ripe ($subnet) { // ripe_arin_fetch method will be called $ripe_result = $this->identify_address ($subnet)=="IPv4" ? $this->ripe_arin_fetch ("ripe", "inetnum", $subnet) : $this->ripe_arin_fetch ("ripe", “inet6num", $subnet); // … } // In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php // line 3633 private function ripe_arin_fetch ($network, $type, $subnet) { // set url // $subnet is added to $url without sanitization // which can go backward in the directory …/…/admin/ $url = $network=="ripe” ? https://rest.db.ripe.net/ripe/$type/$subnet : https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2;
$result = $this\->curl\_fetch\_url($url, \["Accept: application/json"\]);
$result\['result'\] = json\_decode($result\['result'\]);
// result
return $result;
}
// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php // line 1443 // the execution for the curl public function curl_fetch_url($url, $headers=false, $timeout=30) { $result = ['result’=>false, 'result_code’=>503, ‘error_msg’=>’’];
//...
try {
$curl = curl\_init();
// Note: $url is not sanitized
curl\_setopt($curl, CURLOPT\_URL, $url);
//....
$result\['result'\] = curl\_exec($curl);
$result\['result\_code'\] = curl\_getinfo($curl, CURLINFO\_HTTP\_CODE);
$result\['error\_msg'\] = curl\_error($curl);
// close
curl\_close ($curl);
} catch (Exception $e) {
$result\['error\_msg'\] = $e\->getMessage();
}
return $result;
}
The developers were informed of the report by sending an email on 19/06/2022.