Skip to content

Instantly share code, notes, and snippets.

Created September 22, 2022 13:34
What would you like to do?
Header injection (SSRF) vulnerability in phpipam

Header injection vulnerability in phpipam version v1.5.0

The path of the vulnerability:

//In file
//line 21
// the source is $_POST[‘subnet’]
$res = $Subnets->resolve_ripe_arin ($_POST['subnet']);

//In file
//line 3523
public function resolve_ripe_arin ($subnet) {
    // ...
    // Note: We can bypass the check by choosing the value in this format
    // [the correct value for $subnet_check][.][injection value]
    //so reset will take the first value of tje explode and the condition will be true
    // take only first bit of ip address to match /8 delegations
    $subnet_check = reset(explode(".", $subnet));
    // ripe or arin?
    if (in_array($subnet_check, $this->ripe)){ 
        // the injection in $subnet
        return $this->query_ripe ($subnet); 

// In file
// line 3545
private function query_ripe ($subnet) {
    // ripe_arin_fetch method will be called
    $ripe_result = $this->identify_address ($subnet)=="IPv4" ? $this->ripe_arin_fetch ("ripe", "inetnum", $subnet) : $this->ripe_arin_fetch ("ripe", "inet6num", $subnet);
    // ...
// In file
// line 3633
private function ripe_arin_fetch ($network, $type, $subnet) {
    // set url
    // $subnet is added to $url without sanitization
    // which can go backward in the directory ../../admin/
    $url = $network=="ripe" ?$type/$subnet :;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2;

    $result = $this->curl_fetch_url($url, ["Accept: application/json"]);

    $result['result'] = json_decode($result['result']);

    // result
    return $result;

// In file
// line 1443
// the execution for the curl
public function curl_fetch_url($url, $headers=false, $timeout=30) {
    $result = ['result'=>false, 'result_code'=>503, 'error_msg'=>''];


    try {
        $curl = curl_init();
        // Note: $url is not sanitized
        curl_setopt($curl, CURLOPT_URL, $url);

        $result['result']      = curl_exec($curl);
        $result['result_code'] = curl_getinfo($curl, CURLINFO_HTTP_CODE);
        $result['error_msg']   = curl_error($curl);

        // close
        curl_close ($curl);

    } catch (Exception $e) {
        $result['error_msg'] = $e->getMessage();

    return $result;

The developers were informed of the report by sending an email on 19/06/2022.

Copy link

enferas commented Oct 3, 2022

CVE-2022-41443 is assigned to this discovery.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment