phpipam

I've been using it for several years. I like the features and find it to be the best open source option. I rate it low because it seems nearly every time I upgrade there are issues. The database checks will show there are problems and you click the "fix" button and it works, but then you go to use some feature and just get php errors spewed at you. Most of the upgrades have resorted to a fresh re-install. And most recently when going to reinstall, when you try to drop the tables in the database to start fresh, mySQL won't let you due to index dependency issues. Database design seems to be an after thought. Currently over 700 open issues.

Our company stopped using PHPIPAM (1.0) after a third-party auditor reported that it contained a number of security vulnerabilities, including SQL injections. For example, in functions-common.php, the get_menu_html() function reads in "subnetId" directly from the REQUEST, which gets passed to getAllParents(), which calls getSubnetDetailsById() in functions-network.php, which appears to drop the raw subnetId data right into a querystring executed at normal phpipam DB permissions. (You can grep the PHP code for more "$query" instances and back out to the related REQUEST or POST variable population to see similar examples.) The application also encourages IT admins to put "domain admin" credentials in clear text into the adLDAP.php file for optional AD/LDAP integration; there are safer ways to store these! (Using just MD5 for local user passwords also makes me nervous since a lot of the passwords stored here might be those of admins using the same password across multiple systems...) All in all, I think the project would benefit from a switch to PHP prepared statements and better credential protection. The functionality seems solid, but it could use better security (e.g., there appears to be some sanitization happening with parameters like username, but it's not universal), even if the app is normally only installed "behind the firewall."