New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide sensitive/security related info from unprotected pages #4220
Comments
The good combination is, when a password is set, then no sensitive in json. |
Agree, but.... there are existing setups out there and maybe someone does automatically fetch this data. |
I think it is a serious security leak and must be changed. Scenario: You have a wlan with some ESP Clients running and a MAC filter for access restriction. Now somebody (guests or somebody bad, bot ...) is scanning your subnet for host and tries (/json) on every host. Now he knows MACs for the WLAN-MAC-filter... The default should be hiding and an override option with warning text to disable. But I'm ready for discussion. :) |
Don't get me wrong, we do agree on this. However, only using a MAC filter is a bit like security-through-obscurity. |
It was only a weak example. |
Well I now had to break into my own units as there is a bug in ESP-IDF 5.1 I'm working on where the remote IP is not detected reliable. And I now see where the security holes are as I was eventually able to access the tools page via some text-based browser trickery on Linux and uploading a new firmware file while I was being blocked according to the access control code. So there is for sure room for improvement here. But it was a nice exercise to try and break in your own code :) (took me way longer than expected) |
Currently, general info pages like
/json
are available without providing the admin password, when that is set. (from this discussion)It can be hidden based on a setting in Tools/Advanced, or when the Admin password is set (less settings is better).
We should hide these fields:
SSID
andBSSID
fieldsMAC
fields(suggestions welcome)
The text was updated successfully, but these errors were encountered: