We have fully incorporated this app into our environment now and have been using this software for almost a year so believe me when I say this - Simply the best put together Open Source app I have encountered. This is a simple concept that just works! Looks great too. The creator of this app responds to requests for help quicker than a paid IT service Desk!! All credit to Miha, well done!
Our company stopped using PHPIPAM (1.0) after a third-party auditor reported that it contained a number of security vulnerabilities, including SQL injections. For example, in functions-common.php, the get_menu_html() function reads in "subnetId" directly from the REQUEST, which gets passed to getAllParents(), which calls getSubnetDetailsById() in functions-network.php, which appears to drop the raw subnetId data right into a querystring executed at normal phpipam DB permissions. (You can grep the PHP code for more "$query" instances and back out to the related REQUEST or POST variable population to see similar examples.) The application also encourages IT admins to put "domain admin" credentials in clear text into the adLDAP.php file for optional AD/LDAP integration; there are safer ways to store these! (Using just MD5 for local user passwords also makes me nervous since a lot of the passwords stored here might be those of admins using the same password across multiple systems...) All in all, I think the project would benefit from a switch to PHP prepared statements and better credential protection. The functionality seems solid, but it could use better security (e.g., there appears to be some sanitization happening with parameters like username, but it's not universal), even if the app is normally only installed "behind the firewall."
There are no 1 star reviews.