Announcement

Collapse
No announcement yet.

Apparent Security Issue.

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Apparent Security Issue.

    I use DooMenuBar and currently, even when logged in as Guest, all menus are visible. I suspect the following will be the case even without DooMenuBar.

    When I open the PowerTrigger config page from the menu, the user is immediatly switched to the only Admin user I have configured on my system and logged in without a password. Subsequently, the user has full, unrestricted access to the system. I'm disabling PowerTrigger until this can be fixed.
    Real courage is not securing your Wi-Fi network.
    Tags: None
    #2
    Perhaps you should read up on security, web apps and so on before you blame PowerTrigger. PowerTrigger has no knowledge of your accounts and never logs any user in.

    Comment

      #3
      Perhaps not. But explain this.
      Logged in as a guest from a remote location. All other pages load or not as expected depending on user access level. When I load the PowerTrigger page however, the logged in user changes to the Admin user... no password required although it should be. Subsequently, the user has unrestricted access to everything. No other plugin or page on my system does this. I'd suggest you try it before denying the possibility out of hand.
      Real courage is not securing your Wi-Fi network.

      Comment

        #4
        Wadenut, there's really no reason to try it before denying the possibility of it being due to PowerTrigger out-of-hand. You're blaming your car for the traffic jam on the freeway here.

        I'll try to reproduce this later today.

        Comment

          #5
          It isn't my intention to get into a CAT fight here.
          All I've said is that I've tested security on my system. I've tried each page in turn while logged in as a guest from a remote location. Once PowerTrigger is opened, the logged in user immediately changes to the ADMIN user and everything is wide open. Whether or not PowerTrigger is directly or indirectly responsible, or some problem exists within HS2 itself, is not for me to determine. I simply described what I've seen on more than one occasion, and have been able to reproduce.
          I found PowerTrigger to be quite useful while I was using it and miss it. Meantime, I've found it necessary to close guest access and disable the plugin until I can find a resolution.
          I'd be interested to hear if anyone else has had a similar experience with any plugin. I've also logged a help desk ticket.
          Last edited by Wadenut; January 20, 2008, 10:57 AM. Reason: Appended comment re Helpdesk ticket.
          Real courage is not securing your Wi-Fi network.

          Comment

            #6
            Let's start by making sure there really is a problem. HomeSeer security is a bit screwy anyhow, but this is independent of any plug-in. But do make sure you have verified this from a non-sub-net. For example, via a proxy? Remember that HomeSeer grants Admin rights to local users by default - no PowerTrigger involvement at all.

            Comment

              #7
              Originally posted by Wadenut View Post
              I'd be interested to hear if anyone else has had a similar experience with any plugin. I've also logged a help desk ticket.
              i tried a guest account from my internet address and was not able to access any plugins including powertrigger.
              Mark

              HS3 Pro 3.0.0.534
              Hardware: Insteon Serial PLM | AD2USB for Vista Alarm | HAI Omnistat2 | 1-Wire HA7E | RFXrec433 | Dahua Cameras | LiftMaster Internet Gateway
              Plugins: Insteon (mine) | Vista Alarm (mine) | Omnistat 3 (by Kirby) | Ultra1Wire3 | RFXCOM | NetCAM | MyQ | BLRadar | BLDenon | Jon00 Charting
              Platform: HP h8-1360t, Windows Server 2012 R2, i7-3.4GHz, 16GB memory

              Comment

                #8
                There's no doubt the flaw will somehow be traced to HS. I'll try a backup made before I noticed this and see what happens. Beyond that, if need be, I'll reinstall HS from scratch. Greg Hughes at the help desk, has suggested disabling other plugins to try to isolate this. If no-one else has had this happen it's likely my installation has been somehow corrupted.
                I log in remotely as guest, outside my local subnet, through dyndns.
                Real courage is not securing your Wi-Fi network.

                Comment

                  #9
                  After restoring a backup from early in Decamber, long before PowerTrigger was installed, the problem seems to be cured. I've reinstalled the plugin and thoroughly tested all pages on the system as Guest. No more problem. Why, how and when the trouble developed is a mystery but I'm happy concede that there is no issue with PowerTrigger itself.
                  Real courage is not securing your Wi-Fi network.

                  Comment

                  Previous template Next
                  Working...
                  X