HTTP control without password???
Posted: 17 May 2019, 10:28
Hello
i'm new to the Forum and started yesterday with a smartplug (same HW as Sonoff S20)
i flashed ESPeasy 2:
"ESP_Easy_mega-20190511_normal_core_241_ESP8266_1M"
Everything is okay and works fine. I've setup a password and if i want to connect to the WebIF i have to enter User and Password - fine.
But, if i want to control the plug with commands "/control?......" i can control it without any password auth.
For my szenario i have to connect the plug directly to the Internet and i think its a bug and a little bit risky.
Also that i can only set 1 Ip or Ip range its disappointing - because i would whitelist the local net, and one IP Adress to connect from the Internet site.
At the moment the only solution is to allow all Ip adresses - with working password protection it would be a little bit more safe. (and yes i know its plain text and only http which is not encrypted)
i'm new to the Forum and started yesterday with a smartplug (same HW as Sonoff S20)
i flashed ESPeasy 2:
"ESP_Easy_mega-20190511_normal_core_241_ESP8266_1M"
Everything is okay and works fine. I've setup a password and if i want to connect to the WebIF i have to enter User and Password - fine.
But, if i want to control the plug with commands "/control?......" i can control it without any password auth.
For my szenario i have to connect the plug directly to the Internet and i think its a bug and a little bit risky.
Also that i can only set 1 Ip or Ip range its disappointing - because i would whitelist the local net, and one IP Adress to connect from the Internet site.
At the moment the only solution is to allow all Ip adresses - with working password protection it would be a little bit more safe. (and yes i know its plain text and only http which is not encrypted)