inex/IXP-Manager v7.2.0

v7.2.0 Security Release, Security Improvements and Combined P2P Graphing

on GitHub

INEX, the internet peering point for Ireland are pleased to announce the immediate availability of IXP Manager v7.2.0. This is primarily a security release following an independent security audit by ENISA and follow-up internal hardening.

⚠️ All IXP Manager users should upgrade to v7.2.0. Please note that v6 of IXP Manager is no longer supported because the versions of many of its underlying requirements (for example, PHP and Laravel) have reached their end of life.

This release also includes some bug fixes, improvements, and new features. In particular, we are delighted to introduce our new combined peer-to-peer graph functionality.

This release includes contributions via the IXP Manager Sponsorship Program, and we’d like to extend our gratitude to BCIX (Berlin), NIX (Norway), INX ZA (South Africa), LONAP (London), GRIX (Greece), InterLAN (Romania) and SLIX (Salt Lake, USA).

🚨 We do need more sponsors, and if you are interested, please contact us.

Upgrade Instructions

The official upgrade instructions can be found here. Follow these, including the database migrations.

NB: The security enhancements introduced in v7.1.0 to secure access to administrative functions included a default setting that allowed older, unsecured URLs to continue working. This release, v7.2.0, now reverses that default and blocks access to the older URLs by default. See the transition documentation here.

Security

In 2022, ENISA, the European Union Agency for Cybersecurity, was tasked with establishing and rolling out the Cybersecurity Support Action Programme, a fund for the provision of cybersecurity services to support Member States. In Ireland, the NCSC (the Irish National Cybersecurity Centre) was tasked with administering this initiative.

INEX applied to this program for a web application vulnerability assessment and was accepted. During February 2026, a team from S2 Grupo, a firm specialising in cyber i​Intelligence and mission-critical systems operations, conducted a seven-day "grey box" penetration test on the latest release of IXP Manager (v7.0.1).

Not only was this an exercise that benefits INEX in Ireland, but it also benefits all EU member states, as there is at least one IXP in each country using IXP Manager, for a total of 60 IXPs in the EU and at least 260 worldwide.

S2 Grupo identified and categorised three medium-risk and one low-risk vulnerability. These have been addressed in this release and are detailed below. Furthermore, these findings prompted our development team to conduct a proactive internal audit and to use a new technique to identify and resolve several potential XSS-related issues.

INEX takes cybersecurity seriously, both as the primary IXP in Ireland and as the open-source steward of the IXP Manager project. We were pleased to participate in this funded assessment and are gratified that our secure coding methodology proved effective, with no issues rated high or critical found. We are proud that this collaboration between INEX, ENISA, S2 Grupo, and the NCSC contributes to the security of the global internet exchange community.

Penetration Test Details

The penetration test results included three medium and one low-risk vulnerability.

[VULN-01] Unsecured input data management – Persistent Cross-Site Scripting (XSS)

Two instances of an XSS vulnerability were found, and both have been corrected in this release. Exploitation requires administrative-level access.

We also ran an internal program to detect additional XSS vulnerabilities and remediated them, including one reflected XSS vulnerability. Like those found by ENISA, these all required administrative access.

[VULN-02] Lack of Headers – X-Frame-Options and Content Security Policy

This vulnerability is now IXP Manager-specific and applies to any web application. The report found:

It was identified that the X-Frame-Options header was missing from the server responses.

The X-Frame-Options header allowed specifying whether a frame or iframe was permitted to embed the web content. Websites could use it to prevent clickjacking attacks by ensuring their content was not embedded in other sites.

You should update your web server's configuration to set this header option, for example, in Apache2, you would:

<Directory /srv/ixpmanager/public>
    Header Set X-Frame-Options "DENY"
    ...

We have updated our automated installer script and our manual installation instructions to reflect this recommendation.

The report also mentioned Content Security Policy without going into detail. We have noted this for future work.

[VULN-03] User Enumeration via Differentiated HTTP Responses

It has been identified that certain web resources allow user enumeration by returning different HTTP responses depending on whether a user identifier exists in the application database.

After investigation, we determined that it is user ID enumeration (the auto-incrementing primary key), not user enumeration, and this was only possible for logged-in users. This has been corrected in this release.

[VULN-04] Information Disclosure – Error messages

In a particular error state, IXP Manager handled an exception by displaying the underlying SQL query. The penetration testers recognised that while IXP Manager is an open-source application and these queries are freely available, it would be more appropriate not to provide this information in a production environment.

This issue is corrected in this release.

New Features

Combined Peer-to-Peer Graphing

Users of IXP Manager's peer-to-peer (P2P) graphing functionality know that the graphs were not aggregated and could only be viewed on a per-IXP, per-protocol basis.

This release of IXP Manager introduces combined P2P graphs as the new default - your members will now be able to see all traffic exchanged with any peer over all infrastructures, ports and protocols, along with the ability to drill down to view these individually.

Along with the combined P2P statistics table in a previous release, our members will now have a much more informative, intuitive and useful view of their P2P traffic flows.

Support for bgpq4

We’ve officially added support for bgpq4 to IXP Manager, providing a modern alternative to the long-standing bgpq3 for generating IRRDB-based prefix filters. While bgpq3 has served the community well for years, bgpq4 is faster and actively maintained to handle the ever-increasing scale of global routing tables.

bgpq3 as a default is still maintained. To switch to bgpq4, which should be seamless, ensure you have it installed and either update the settings in the UI or edit the following in your .env:

# This can be either bgpq3 (default) or bgpq4:
IXP_IRRDB_UTILITY=bgpq4

# Path to bgpq4 utility - uses $PATH by default:
IXP_IRRDB_BGPQ4_PATH=bgpq4

Local ASN Resolution

When you click on AS numbers in IXP Manager, your browser makes an API call to IXP Manager which in turn made an API call to PeeringDB. This was often quite slow.

We now download and store bgp.tools' ASN Name export on a weekly basis. ASN lookups are now significantly faster. Thanks to @benjojo for this facility.

You can populate the database when you upgrade to v7.2.0 via:

./artisan utils:asn-update -v

Side Note: Laravel does not currently have a means to offset periodic tasks. I.e., we would not want ~260 instances of IXP Manager to download the CSV file at the same time (albeit load-balanced by time zone). In this release, we have implemented a custom jitter function for period tasks using a hash of the application key (APP_KEY in .env). This will randomise the job across IXP Manager installations, but keep it consistent within each installation.

A Word of Welcome to Our New Developer

We are delighted to introduce and welcome Thomas Kerin to the IXP Manager project as a full-time senior PHP developer.

Thomas is a seasoned PHP developer with over a decade of experience building robust, security-focused applications. After graduating from Trinity College Dublin with a degree in science, Thomas gained experience through several PHP development roles, which included leadership and security responsibilities. He has worked in diverse industries from educational startups to digital currency service providers.

Of particular note for our project, Thomas is well-versed in open-source software, best known for the Bitcoin-PHP project, as well as a number of other open-source PHP libraries and extensions in the security and cryptography space.

While Thomas only joined the project at the start of March, he has already jumped into fourth place with ~100 commits on GitHub’s contributor stats. In particular, he devised a unique approach to identifying potential XSS weaknesses following the ENISA pen-test.

Thomas’ role is fully funded by sponsors of the IXP Manager Sponsorship Program.

🚨 We need more sponsors. If you are an IXP using IXP Manager, and it is within your means to sponsor the project, please contact us.

Thomas is on the mailing list and looks forward to meeting and collaborating with our IXP Manager community.

Improvements

@kylespencer opened an issue about accidental admin logout. @afk11 dug into this and made several improvements around user privileges:

• Superuser user/edit - if dropping your own privs, count the number of users in $member with the same privs. If it's only 1 (yourself), disallow the change.
• CustAdmin user/edit - same change as superuser. If dropping your own, bail if there's only one user per $member with those privs (yourself)
• Kill user.privs column (tldr: besides v4.9.0->v5.0 migration scripts, it was only used in two grapher 'authorize()' methods, a Docstore privs test. other uses were casual).
• Users:
  • rewrite User::currentCustomerToUser(). Instead of querying here directly, rewrite it so the relation is returned, enabling queries. This supports writing $this->currentCustomerToUser to get the corresponding CustomerToUser instance and benefits from being cached on the model instance. It's also $model->refresh() save.
  • have User::privs() use $this->currentCustomerToUser

WhoisController & Whois Utils - Add Tests (#970)

• Add WhoisResolver, and WhoisHost contextual attribute, so specific whois instance can be loaded via DIC
• Move Whois related utils into IXP\Utils\Whois
• Mock tests for WhoisController
• Add unit tests for WhoisHost, WhoisResolver
• Add live tests for Whois class, capturing some behaviours
• Fixed minor bug, when the frontend performs a prefix whois lookup without a mask

Other Improvements

• Allow memcached host and port to be configured via .env (/pull/969), thanks @fmcglinn.
• New test suite for the customer API endpoints.
• New tests for alert and alert container utilities.
• Table HTML code throughout the project was improved.
• Remove old configuration default for app.key. Wouldn't have be usable, just pointless having it around (internal PR islandbridgenetworks/ibn-ixp-manager#63).

Bug Fixes

• Fix missing method in the Artisan command user:create, closing #965.
• We added a new IPv6 max prefix setting in v7.1.0, but we did not pull this from PeeringDB. Fixed in 42c2bca.
• Switch port display - use correct field for lastSnmpPoll display 4e78ab7.
• Match protocol when generating rs rpsl rir object - long-standing and unnoticed issue 393ec0d.
• Fix the interface wizard form when no customer is provided. (via admin/interfaces/wizard-create)
• Fix database issue in looking glass when there are no routes.
• RRD: last two columns should contain MAX data. Fixes internal bug islandbridgenetworks/ibn-ixp-manager#42
• Several instances of internal admin links were not prefixed with /admin, leading to 404s.
• Various typos corrected.

There were various other small fixes and improvements.

CI Results for this Release

❯ ./vendor/bin/phpunit
PHPUnit 11.5.55 by Sebastian Bergmann and contributors.

Runtime:       PHP 8.4.20
Configuration: /Users/barryo/dev/ixpm-inex/phpunit.xml

...............................................................  63 / 525 ( 12%)
............................................................... 126 / 525 ( 24%)
............................................................... 189 / 525 ( 36%)
............................................................... 252 / 525 ( 48%)
............................................................... 315 / 525 ( 60%)
............................................................... 378 / 525 ( 72%)
............................................................... 441 / 525 ( 84%)
............................................................... 504 / 525 ( 96%)
.....................                                           525 / 525 (100%)

Time: 03:24.126, Memory: 135.00 MB

OK (525 tests, 4113 assertions)

❯ ./vendor/bin/psalm  --use-baseline psalm-baseline.xml

Running on PHP 8.4.20, Psalm 6.16.1@f1f5de594dc76faf8784e02d3dc4716c91c6f6ac.

JIT acceleration: OFF
You can enable JIT acceleration (experimental) with --force-jit.

Target PHP version: 8.4 (inferred from composer.json).

Scanning files...

Analyzing files...

░

------------------------------

       No errors found!

------------------------------
165 other issues found.
You can display them with --show-info=true
------------------------------

Checks took 9.65 seconds and used 1,560.620MB of memory
Psalm was unable to infer types in the codebase