user json superuser data

On various Hardware and OS systems: pi / windows / routers / nas, etc

Moderator: leecollings

Post Reply
User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

user json superuser data

Post by luberth »

Hello

Find it a bit strange
if a user looks at json data
he can see the superuser readable name
and coded password
bit strange???
User avatar
waaren
Posts: 6028
Joined: Tuesday 03 January 2017 14:18
Target OS: Linux
Domoticz version: Beta
Location: Netherlands
Contact:

Re: user json superuser data

Post by waaren »

luberth wrote: Sunday 25 November 2018 20:30 if a user looks at json data he can see the superuser readable name and coded password
What did you put in the [settings] [system] [Local Networks (no username/password):] field ?
Debian buster, bullseye on RPI-4, Intel NUC.
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth »

Hello

Is empty no text
Setup=>Settings
local_networks.png
local_networks.png (9.83 KiB) Viewed 590 times
point is cq how i look at it
i am sharing my floorplan for others to see
.......... would be nice for inspiration iff more people do
they can only watch
when they click a switch they get => you do not have permission to do that

but if someone with more knowledge as me
and knowing above user view only login
views the json
he or maybe even she can see superuser username in plain text
and coded password
i think there would be guys or even girls knowing how to uncode that password
and in they are
in my opinion the viewonlyuser should not see the superuser info in json with his rights

i watch a particular json(do not go into detail here,advanced domoticz json users will know wich one) with an online viewer
http://jsonviewer.stack.hu/
so its got nothing to do with local adres viewing

setup=>more options =>edit users
add an [ ]option jsonview allowed ?????
This makes vieweronly user test password test http://test:[email protected]:8080/#/Floorplans
but this user should not be allowed to see almost all superuser info in json
domoticz_user.png
domoticz_user.png (36.66 KiB) Viewed 595 times
User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth »

Hmmmmm

My 433mhz Doorbell started playing
Somebody in???

how did you do that?
no de doorbell log shows no on action

must be false reception by cheap doorbell
there must be some similarity between 433mhz code of action impuls wall socket and action doorbel
./impuls.sh 31 C on 10
User avatar
waaren
Posts: 6028
Joined: Tuesday 03 January 2017 14:18
Target OS: Linux
Domoticz version: Beta
Location: Netherlands
Contact:

Re: user json superuser data

Post by waaren »

luberth wrote: Monday 26 November 2018 8:12 Hello

Is empty no text
Setup=>Settings
local_networks.png

point is cq how i look at it
i am sharing my floorplan for others to see
.......... would be nice for inspiration iff more people do
they can only watch
when they click a switch they get => you do not have permission to do that

but if someone with more knowledge as me
and knowing above user view only login
views the json
he or maybe even she can see superuser username in plain text
and coded password
i think there would be guys or even girls knowing how to uncode that password
and in they are
in my opinion the viewonlyuser should not see the superuser info in json with his rights

i watch a particular json(do not go into detail here,advanced domoticz json users will know wich one) with an online viewer
http://jsonviewer.stack.hu/
so its got nothing to do with local adres viewing

setup=>more options =>edit users
add an [ ]option jsonview allowed ?????
This makes vieweronly user test password test http://test:[email protected]:8080/#/Floorplans
but this user should not be allowed to see almost all superuser info in json
domoticz_user.png
I understand now. Already possible to see your complete configuration including device attributes (name, description, etc...).
Not enough authorization to control them with API calls but too open for my liking.
Debian buster, bullseye on RPI-4, Intel NUC.
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth »

Sorry im just a Domoticz newbie beginner
..........so my configuration looks like .....


and u can see
_____superuser name in plaintext => thats 1 guess less, and a huge loss for owner or big win for the hacker
_____and coded password
if u use the right json call

also you can see notification email adresses etcetera
much to much for this view only viewer
Last edited by luberth on Sunday 30 December 2018 9:19, edited 1 time in total.
User avatar
luberth
Posts: 34
Joined: Friday 27 April 2018 7:56
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.9700
Location: Bangert 30 Andijk Nederland
Contact:

Re: user json superuser data

Post by luberth »

disappointed
that there is no reaction from forummanagers or programmers
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest