user json superuser data

On various Hardware and OS systems: pi / windows / routers / nas, etc
Post Reply
User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

user json superuser data

Post by luberth » Sunday 25 November 2018 21:30

Hello

Find it a bit strange
if a user looks at json data
he can see the superuser readable name
and coded password
bit strange???

User avatar
waaren
Posts: 1346
Joined: Tuesday 03 January 2017 15:18
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Netherlands
Contact:

Re: user json superuser data

Post by waaren » Sunday 25 November 2018 23:34

luberth wrote:
Sunday 25 November 2018 21:30
if a user looks at json data he can see the superuser readable name and coded password
What did you put in the [settings] [system] [Local Networks (no username/password):] field ?
Raspberry (debian stretch via berryboot on Synology DS916+) , Domoticz (almost) latest Beta, , dzVents 2.6, RFLink, RFXtrx433e, P1, Youless, Harmony, Hue, Yeelight, Xiaomi, HomeWizard, Zwave, Amazon echo

User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth » Monday 26 November 2018 9:12

Hello

Is empty no text
Setup=>Settings
local_networks.png
local_networks.png (9.83 KiB) Viewed 118 times
point is cq how i look at it
i am sharing my floorplan for others to see
.......... would be nice for inspiration iff more people do
they can only watch
when they click a switch they get => you do not have permission to do that

but if someone with more knowledge as me
and knowing above user view only login
views the json
he or maybe even she can see superuser username in plain text
and coded password
i think there would be guys or even girls knowing how to uncode that password
and in they are
in my opinion the viewonlyuser should not see the superuser info in json with his rights

i watch a particular json(do not go into detail here,advanced domoticz json users will know wich one) with an online viewer
http://jsonviewer.stack.hu/
so its got nothing to do with local adres viewing

setup=>more options =>edit users
add an [ ]option jsonview allowed ?????
This makes vieweronly user test password test http://test:test@84.106.2.21:8080/#/Floorplans
but this user should not be allowed to see almost all superuser info in json
domoticz_user.png
domoticz_user.png (36.66 KiB) Viewed 123 times

User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth » Tuesday 27 November 2018 13:03

Hmmmmm

My 433mhz Doorbell started playing
Somebody in???

how did you do that?
no de doorbell log shows no on action

must be false reception by cheap doorbell
there must be some similarity between 433mhz code of action impuls wall socket and action doorbel
./impuls.sh 31 C on 10

User avatar
waaren
Posts: 1346
Joined: Tuesday 03 January 2017 15:18
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Netherlands
Contact:

Re: user json superuser data

Post by waaren » Tuesday 27 November 2018 15:18

luberth wrote:
Monday 26 November 2018 9:12
Hello

Is empty no text
Setup=>Settings
local_networks.png

point is cq how i look at it
i am sharing my floorplan for others to see
.......... would be nice for inspiration iff more people do
they can only watch
when they click a switch they get => you do not have permission to do that

but if someone with more knowledge as me
and knowing above user view only login
views the json
he or maybe even she can see superuser username in plain text
and coded password
i think there would be guys or even girls knowing how to uncode that password
and in they are
in my opinion the viewonlyuser should not see the superuser info in json with his rights

i watch a particular json(do not go into detail here,advanced domoticz json users will know wich one) with an online viewer
http://jsonviewer.stack.hu/
so its got nothing to do with local adres viewing

setup=>more options =>edit users
add an [ ]option jsonview allowed ?????
This makes vieweronly user test password test http://test:test@84.106.2.21:8080/#/Floorplans
but this user should not be allowed to see almost all superuser info in json
domoticz_user.png
I understand now. Already possible to see your complete configuration including device attributes (name, description, etc...).
Not enough authorization to control them with API calls but too open for my liking.
Raspberry (debian stretch via berryboot on Synology DS916+) , Domoticz (almost) latest Beta, , dzVents 2.6, RFLink, RFXtrx433e, P1, Youless, Harmony, Hue, Yeelight, Xiaomi, HomeWizard, Zwave, Amazon echo

User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth » Tuesday 27 November 2018 15:48

Sorry im just a Domoticz newbie beginner
..........so my configuration looks like .....


and u can see
_____superuser name in plaintext => thats 1 guess less, and a huge loss for owner or big win for the hacker
_____and coded password
if u use the right json call

also you can see notification adresses etcetera
much to much for this view only viewer

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests