HTTP control without password???

Moderators: grovkillen, Stuntteam, TD-er

Post Reply
Message
Author
cdev
New user
Posts: 4
Joined: 17 May 2019, 10:20

HTTP control without password???

#1 Post by cdev » 17 May 2019, 10:28

Hello
i'm new to the Forum and started yesterday with a smartplug (same HW as Sonoff S20)
i flashed ESPeasy 2:
"ESP_Easy_mega-20190511_normal_core_241_ESP8266_1M"

Everything is okay and works fine. I've setup a password and if i want to connect to the WebIF i have to enter User and Password - fine.
But, if i want to control the plug with commands "/control?......" i can control it without any password auth.

For my szenario i have to connect the plug directly to the Internet and i think its a bug and a little bit risky.


Also that i can only set 1 Ip or Ip range its disappointing - because i would whitelist the local net, and one IP Adress to connect from the Internet site.
At the moment the only solution is to allow all Ip adresses - with working password protection it would be a little bit more safe. (and yes i know its plain text and only http which is not encrypted)

User avatar
grovkillen
Core team member
Posts: 3621
Joined: 19 Jan 2017, 12:56
Location: Hudiksvall, Sweden
Contact:

Re: HTTP control without password???

#2 Post by grovkillen » 17 May 2019, 12:38

Best option in my opinion is to control it over MQTT. That way you only have to exploit the MQTT broker to the Internet but that one you can HTTPS + Password protect. I'm not gonna show you how to exploit the unit directly to the internet because I don't think that's a good idea at all.
ESP Easy Flasher [flash tool and wifi setup at flash time]
ESP Easy Webdumper [easy screendumping of your units]
ESP Easy Netscan [find units]
Official shop: https://firstbyte.shop/
Sponsor ESP Easy, we need you :idea: :idea: :idea:

cdev
New user
Posts: 4
Joined: 17 May 2019, 10:20

Re: HTTP control without password???

#3 Post by cdev » 17 May 2019, 15:21

THX for your feedback, the problem is that i have only this one plug.
I have a complete working smart home setup based on other system - but at the moment i have many trouble with my wifi router and i need this plug only to break the power supply from the router to restart it remotly.
Thats why i can't connect the plug to my existing smarthome setup.
The plug is only connected to a backup internet connection to restart my main router if needed.
I have a Portfoarwarding to the plug directly, but a higher random port - not 80 or some standard port.


A password protection for HTTP control would be nice, also https (but i understand that it is all limited by 1M flash and normally its not needed in a home network).

P.S.: Is there a way to enable telnet to the device? Maybe i can install a SSL / SSH certificate and enable ssh by myself?

Rob Muller
Normal user
Posts: 11
Joined: 05 Nov 2018, 17:02

Re: HTTP control without password???

#4 Post by Rob Muller » 05 Jan 2020, 11:25

If your backup connection is only to restart the router, why not setup controlled access on the backup connection router (login, VPN etc) to connect to the plug?
Thanks for reading,
regards,

Rob

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: HTTP control without password???

#5 Post by TD-er » 05 Jan 2020, 15:30

Some routers (e.g. Fritzbox ones) allow to set a password in HTTP port forwards.
If you know Apache, then it is just like a proxypath (and reverse) including a .htaccess with a password setup.

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: HTTP control without password???

#6 Post by TD-er » 05 Jan 2020, 15:39


User avatar
Ath
Normal user
Posts: 3419
Joined: 10 Jun 2018, 12:06
Location: NL

Re: HTTP control without password???

#7 Post by Ath » 29 May 2020, 07:48

Edit:
So I stepped into a spammer trap. :( Removed the reply.
Last edited by Ath on 30 May 2020, 09:41, edited 1 time in total.
/Ton (PayPal.me)

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: HTTP control without password???

#8 Post by TD-er » 30 May 2020, 09:34

@Ath:
The same message, only with different URL, has been posted several times the last few days.
So I deleted the bot-generated message and IP-banned it.
But IP-ban is probably not going to work on bots, but it's all we've got.

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 33 guests