Title: SOPlanning Admin Authentication Bypass
CVE ID: CVE-2020-13963
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Advisory Release Date: 19 March 2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2020-13963
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt> and David Júlio <dj[at]integrity.pt>
SOPlanning from versions 1.45 to 1.46 is vulnerable to an authentication bypass allowing login as guest or admin user without knowing the password.
The software as a “remember me” feature on login, that if checked sets a specific cookie in the user’s browser after successful login. Although the cookie is created by hashing the user ID and date with a secret key, the key for the admin user is hardcoded in the database installation script. Additionally, the guest (publicsp) user has no key set.
This allows for an attacker to forge a valid cookie, and completely bypass authentication for both the admin and guest users.