phpipam Icon

phpipam open-source IP address management

User Ratings

★★★★★
★★★★
★★★
★★
38
2
0
1
0
ease 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 4 / 5
features 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 4 / 5
design 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 4 / 5
support 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 4 / 5
Write a Review

User Reviews

  • 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5

    Our company stopped using PHPIPAM (1.0) after a third-party auditor reported that it contained a number of security vulnerabilities, including SQL injections. For example, in functions-common.php, the get_menu_html() function reads in "subnetId" directly from the REQUEST, which gets passed to getAllParents(), which calls getSubnetDetailsById() in functions-network.php, which appears to drop the raw subnetId data right into a querystring executed at normal phpipam DB permissions. (You can grep the PHP code for more "$query" instances and back out to the related REQUEST or POST variable population to see similar examples.) The application also encourages IT admins to put "domain admin" credentials in clear text into the adLDAP.php file for optional AD/LDAP integration; there are safer ways to store these! (Using just MD5 for local user passwords also makes me nervous since a lot of the passwords stored here might be those of admins using the same password across multiple systems...) All in all, I think the project would benefit from a switch to PHP prepared statements and better credential protection. The functionality seems solid, but it could use better security (e.g., there appears to be some sanitization happening with parameters like username, but it's not universal), even if the app is normally only installed "behind the firewall."

    Posted 11/11/2014

Thanks for helping keep SourceForge clean.

Screenshot instructions:
Windows
Mac
Red Hat Linux   Ubuntu

Click URL instructions:
Right-click on ad, choose "Copy Link", then paste here →
(This may not be possible with some types of ads)

More information about our ad policies
X

Briefly describe the problem (required):

Upload screenshot of ad (required):
Select a file, or drag & drop file here.

Please provide the ad click URL, if possible:

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks