CVE-2020-13963 - SOPlanning Authentication Bypass

1. Vulnerability Properties

Title: SOPlanning Admin Authentication Bypass
CVE ID: CVE-2020-13963
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor: SOPlanning
Products: SOPlanning
Advisory Release Date: 19 March 2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2020-13963
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt> and David Júlio <dj[at]integrity.pt>

2. Vulnerability Summary

SOPlanning from versions 1.45 to 1.46 is vulnerable to an authentication bypass allowing login as guest or admin user without knowing the password.

The software as a “remember me” feature on login, that if checked sets a specific cookie in the user’s browser after successful login. Although the cookie is created by hashing the user ID and date with a secret key, the key for the admin user is hardcoded in the database installation script. Additionally, the guest (publicsp) user has no key set.

This allows for an attacker to forge a valid cookie, and completely bypass authentication for both the admin and guest users.

3. Vulnerable Versions

  • From v1.45 to v1.46

4. Solution

  • Update to version 1.47

5. Vulnerability Timeline

  • 7/Jun/2020  - Bug reported to vendor
  • 7/Jun/2020 - Bug Confirmed by vendor
  • 21/Jul/2020 - Bug fixed by vendor
  • 19/Mar/2021 - Advisory released

6. References

  • https://sourceforge.net/projects/soplanning/files/soplanning/1.47.00/
  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13963