Release notes from phpipam

1.7.4

2025-11-27T18:53:28Z

Bugfixes:
----------------------------
+ Backported PHP8 compatibility fixes;
+ Can not empty address fields (#4322);
+ jQuery error when adding an IP address range (#4350);

Security Fixes:
----------------------------
+ Addedd CSRF cookie for clear-changelog and clear-log;
+ XSS - Reflected in install scripts;
+ XSS - Unsafe HTML allowed in Request IP Instructions;
+ XSS - Unsafe HTML allowed in Password vault;
+ Local exposure of DB credentials via mysqldump;
+ RCE - Authenticated remote code execution via ping_path;

1.7.3

2024-11-27T21:26:11Z

Bugfixes:
----------------------------
+ Backported PHP8 compatibility fixes;
+ Workaround PHP bug GH-16870 (#4339);
+ Request new IP hangs (#4346);

1.7.2

2024-11-22T19:13:14Z

Bugfixes:
----------------------------
+ Slow UI performance with bootstrap v3.4.1 (#4311);

1.7.1

2024-11-17T21:39:09Z

Bugfixes:
----------------------------
+ Backported PHP8 compatibility fixes;
+ Fixed passkeys upgrade queries;
+ MySQL no active transaction error during upgrades (#4319);
+ $config['disable_main_login_form'] shows blank page (#4317);
+ Unable to clear custom fields (#4313);

Security Fixes:
----------------------------
+ XSS - reflected via HTTP_X_FORWARDED_PORT;

1.7.0

2024-10-30T21:35:04Z

New features:
------------
+ php8.3 compatibility;
+ Added support for passkeys / passwordless logins;
+ API:
    + Added API changelog;

Bugfixes:
----------------------------
+ Fixed Use UTF-16LE encoding for XLS sheet names, and UTF-8 as input encoding (#3977);
+ Fixed Update login_form.php for installation inside subdir (#3954);
+ Fixed php8 constructor fix for radius class (#3985);
+ Fixed Force mac address update during status update scan (#3791);
+ Fixed RADIUS authentication fails on 1.6.0 (#3986);
+ Fixed cannot add NAT issue (#3993);
+ Fixed Various Linked Addresses issues (#3275, #4188, #4189, #3274);
+ Fixed Duplicates tool not finding ALL duplicates (#4161);
+ Fixes fetch_favourite_subnets function returns empty array instead of false (#4182);
+ Fixed Dashboard widget widths are not correct percentage (#4176);
+ Fixed remove_offline_addresses.php can't execute (#4173);
+ Fixed Searches do not properly organize results (#3917)
+ Fixed Expand/compress all folders not working properly (#3583);
+ Fixed Bug when adding a user to a group (#4137);
+ Fixed Password validation errors (#4099,#2423);
+ Fixed Ripe import results in jQuery error (#4007);
+ Fixed Ripe import crashes if too many subnets are found (#4180);
+ Fixed Devices with height 0 crash Rack image generation (#4193);
+ Fixed Custom field not working in Routing module (#4174);
+ Fixed Circuit Type showing differently in two windows (#4104);
+ Fixed Vault Item Custom Field not writable (#4058);
+ Fixed Undefined variable when adding nameserver (#4230);
+ Fixed Tag Management Color Picker (#3629);
+ Fixed Arrows for linked addresses do not match between themes (#4216);
* Fixed Captcha and invalid login checks (#3480, #4198);
+ Fixed 2FA TOTP validation issues (#3724);

Enhancements, changes:
----------------------------
+ Added support for redundant PowerDNS databases (#3981);
+ Added option to export data for VLAN,VRF and Devices directly from tools page;
+ Added option to disable OpenStreetMap address geoip lookups;
+ Added $api_stringify_results config.php option for <PHP81 API backwards compatibility;
+ Added support for newly added widgets to be sortable with jQuery (#4711);
+ Added support for using widget parameters; added recent_logins widget (#4184);

Security Fixes:
----------------------------
+ Upgraded jQuery to 3.7.1;
+ Upgraded bootstrap to 3.4.1;
+ Upgraded jQuery-ui to 1.13.3;
+ Cookies set without Secure attribute;
+ Multiple XSS injections (#4145,#4146,#4147,#4148,#4149.#4150,#4151);
+ HTML DOM XSS injection via filenames when uploading (#4160);
+ Escape loaded database strings by default, stored XSS defence;
+ Increase minimum 2FA secret length to 32 (160bit);
+ Disable /app/install/ helper scripts via config.php $disable_installer;
+ LDAP user searches sent without ssl/tls;

1.6.1

2024-10-29T21:26:56Z

Bugfixes:
----------------------------
+ Fixed RADIUS authentication fails on 1.6.0 (#3986);
+ Fixed cannot add NAT issue (#3993);

Security Fixes:
----------------------------
+ Multiple XSS injections (#4145,#4146,#4147,#4148,#4149.#4150,#4151);
+ HTML DOM XSS injection via filenames when uploading (#4160);
+ Disable /app/install/ helper scripts via config.php $disable_installer;

1.6.0

2023-12-13T11:57:37Z

Enhancements, changes:
----------------------------
+ php8.3 compatibility;
+ MySQL 5.5.3+ is now required (support for utf8mb4);
+ Reverse-proxy users should review the new config.php $trust_x_forwarded_headers setting;

Security Fixes:
----------------------------
+ SQL injection in custom field enum/set types;
+ Directory traversal possible in RIPE query;
+ XSS (reflected) in 'bw-calulator-result.php';
+ XSS (reflected) by invalid email address response;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
+ XSS (stored) in user widget settings;
+ XSS and LDAP injection in ad-search-result.php;
+ XSS and LDAP injection in ad-search-group-result.php;
+ Restrict find_full_subnets.php to CLI;
+ Ensure confidentiality of database password;

1.5.2

2023-03-06T22:24:52Z

Bugfixes:
----------------------------
Fixed MySQL server has gone away error (#3759);

Security Fixes:
----------------------------
+ SQL injection in custom field enum/set types;
+ Directory traversal possible in RIPE query;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
+ XSS (stored) in user widget settings;
+ XSS and LDAP injection in ad-search-group-result.php;

1.5.1

2023-02-04T11:32:06Z

Security Fixes:
----------------------------
+ XSS (reflected) in 'bw-calulator-result.php';
+ XSS (reflected) by invalid email address response;
+ XSS and LDAP injection in ad-search-result.php;
+ Restrict find_full_subnets.php to CLI;
+ Ensure confidentiality of database password;

1.5.0

2022-05-02T19:57:48Z

New features:
------------
+ Mark subnet as isPool to allocate network and broadcast addresses;
+ Optionally hide section subnet menus;
+ L2 Domains user permissions;
+ Add scanPingType=="none" option to disable scanning;
+ Custom fields on IP request forms (#2956);
+ Added subnet free space map for each possible subnet mask;
+ Added Vaults (Certificate andf password storing);
+ Added Tools->Duplicate subnets & IP page;
+ Added config.php offline_mode to disable server-side Internet lookups (#3462);
+ Added MAC vendor lookup widget;

Enhancements, changes:
----------------------------
+ php7.4 compatibility;
+ SameSite attribute enabled for site cookies;
+ SAML2
    + php-saml updated to 3.4.1 (#3055);
    + Removal of php-mcrypt dependancy;
    + Drop support for idpcertfingerprint;
    + MAP_SAML_USER and SAML_USERNAME config.php configuration moved to db;
    + php-saml protocol debugging;
    + Support for signed assertions;
    + SAML usernames can be extracted from assertion attributes (#2948);
    + JIT auto-provisioning of accounts (#3389);
+ Selectable mask for number of subnets/hosts in subnet masks;
+ Switch from Google Maps to OpenStreeMap and Nominatim;

Bugfixes:
----------------------------
+ Fixed upgrade queries issues from 1.3.x to 1.4+ (#3130);
+ Fixed boolean printout in footer (#2625);
+ Fixed BGP Admin isn't working (#2631);
+ do not show statistics in dashboard widget for disabled modules (#2602);
+ MySQL 8.0 compatibility. (#2646,#2239,#3036);
+ MariaDB Galera Cluster compatibility (#2498,#3413);
+ Permit non-numeric postcodes for customers (#2393);
+ Bandwidth calculator - 400 Bad Request (#1807,#2648);
+ Table layout not aligned (#2656,#3105,#3113);
+ Improve scanning requirement checks (#1183);
+ Date picker hidden (#2673);
+ PDNS Add/Edit DNS record not working for normal users (#2686);
+ Unable to save settings with link addresses = text custom field (#2702);
+ Kea MAC address display issue (#2704);
+ Returned custom fields to devices table (#2572);
+ Invalid scan agent key warning;
+ Subnet filter issue when IP contains 0 octet. (#2748);
+ Add VLAN button not working (#2741);
+ Incorrect subnet links in /tools/vrf/ view. (#2774);
+ Location data missing in exports. (#2833);
+ Check mysqldump path when exporting database;
+ Current rack position missing when editing a device. (#2545);
+ Permit colon in firewall zone interface names (#2737);
+ Fixed PowerDNS txt SPF editing (#1641);
+ Blank 'MAC' on SNMP-ARP and SNMP-MAC scans (#2911);
+ Incorrect network/broadcast calculation for IPv6 (#2879);
+ Increase allowed email and password lengths (#3021);
+ Wrong unit location for dual-sided racks (#3086);
+ Linked ip_addr shows integer notation (#3100);
+ Invalid scan type () error (#2785);
+ Invalid CSRF cookie editing rack items (#2556);
+ FPing discovery marks all addresses as alive (#2888);
+ Subnet usage calculation updated for nested subnets;
+ SNMP, number of discovered hosts exceed maximum warning (#3279);
+ Exclude IPv6 from Ping and Discovery scans (#3354);
+ Fix for SAML/2FA/login redirections (#3492, #3435, #3517);
+ php_sessions table doesn't exist error when upgrading (#3417);
+ Changelog data too long for column errors (#3376,#3398);
+ RFC 6265 compliant cookies (#3452);
+ Require unique subnets not working as intended (#3529);
+ API:
    + Fixed /user/ calls for SSL with app code (static app code);
    + Address IP field not displayed when using filter_by (#2934);
    + Addresses first_free & Subnets first/last_subnet thread safety (#2960);

Security Fixes:
----------------------------
+ SQL injections processing `tableName` (#2738);
+ SQL injections processing `ftype` (#2751);
+ All circuits map, PHP object injection (#2937);
+ Upgraded jQuery to 3.5.1 (#3119);
+ Stored XSS in instructions widgets (#3025, #3360);
+ PHP session ID fixation (#3342);
+ XSS (reflected) in IP calculator (#3351);
+ XSS in pass-change/result.php (#3373);
+ SQL injection in edit-bgp-mapping-search.php;
+ Stored XSS in the "Site title" parameter;
+ XSS while uploading CVS files;
+ XSS (reflected) in 'find subnets';
+ Incorrect privilege assignments (#3506);
+ XXS (reflected) in ripe-arin-query;
+ XSS (reflected) in import previews;

Translations:
----------------------------
+ Update Traditional Chinese support to version 1.5 (#2658);
+ Update Simplified Chinese Translation (#2725);
+ Italian (it_IT) translation added (#2813);
+ Updated German translation (#2970, #3065);
+ Updated Russian translation (#3028, #3367);