Hide sensitive/security related info from unprotected pages #4220
Comments
TD-er
added
Type: Enhancement
|
The good combination is, when a password is set, then no sensitive in json. |
Agree, but.... there are existing setups out there and maybe someone does automatically fetch this data. |
|
I think it is a serious security leak and must be changed. Scenario: You have a wlan with some ESP Clients running and a MAC filter for access restriction. Now somebody (guests or somebody bad, bot ...) is scanning your subnet for host and tries (/json) on every host. Now he knows MACs for the WLAN-MAC-filter... The default should be hiding and an override option with warning text to disable. But I'm ready for discussion. :) |
Don't get me wrong, we do agree on this. However, only using a MAC filter is a bit like security-through-obscurity. |
|
It was only a weak example. |
tonhuisman
changed the title
|
Well I now had to break into my own units as there is a bug in ESP-IDF 5.1 I'm working on where the remote IP is not detected reliable. And I now see where the security holes are as I was eventually able to access the tools page via some text-based browser trickery on Linux and uploading a new firmware file while I was being blocked according to the access control code. So there is for sure room for improvement here. But it was a nice exercise to try and break in your own code :) (took me way longer than expected) |
Currently, general info pages like
/jsonare available without providing the admin password, when that is set. (from this discussion)It can be hidden based on a setting in Tools/Advanced, or when the Admin password is set (less settings is better).
We should hide these fields:
SSIDandBSSIDfieldsMACfields(suggestions welcome)
The text was updated successfully, but these errors were encountered: