HTTP control without password???

Moderators: grovkillen, Stuntteam, TD-er

Post Reply
Message
Author
cdev
Normal user
Posts: 4
Joined: 17 May 2019, 10:20

HTTP control without password???

#1 Post by cdev » 17 May 2019, 10:28

Hello
i'm new to the Forum and started yesterday with a smartplug (same HW as Sonoff S20)
i flashed ESPeasy 2:
"ESP_Easy_mega-20190511_normal_core_241_ESP8266_1M"

Everything is okay and works fine. I've setup a password and if i want to connect to the WebIF i have to enter User and Password - fine.
But, if i want to control the plug with commands "/control?......" i can control it without any password auth.

For my szenario i have to connect the plug directly to the Internet and i think its a bug and a little bit risky.


Also that i can only set 1 Ip or Ip range its disappointing - because i would whitelist the local net, and one IP Adress to connect from the Internet site.
At the moment the only solution is to allow all Ip adresses - with working password protection it would be a little bit more safe. (and yes i know its plain text and only http which is not encrypted)

User avatar
grovkillen
Core team member
Posts: 3140
Joined: 19 Jan 2017, 12:56
Location: Hudiksvall, Sweden
Contact:

Re: HTTP control without password???

#2 Post by grovkillen » 17 May 2019, 12:38

Best option in my opinion is to control it over MQTT. That way you only have to exploit the MQTT broker to the Internet but that one you can HTTPS + Password protect. I'm not gonna show you how to exploit the unit directly to the internet because I don't think that's a good idea at all.
ESP Easy Flasher [flash tool and wifi setup at flash time]
ESP Easy Webdumper [easy screendumping of your units]
ESP Easy Netscan [find units]
Official shop: https://firstbyte.shop/
Sponsor ESP Easy, we need you :idea: :idea: :idea:

cdev
Normal user
Posts: 4
Joined: 17 May 2019, 10:20

Re: HTTP control without password???

#3 Post by cdev » 17 May 2019, 15:21

THX for your feedback, the problem is that i have only this one plug.
I have a complete working smart home setup based on other system - but at the moment i have many trouble with my wifi router and i need this plug only to break the power supply from the router to restart it remotly.
Thats why i can't connect the plug to my existing smarthome setup.
The plug is only connected to a backup internet connection to restart my main router if needed.
I have a Portfoarwarding to the plug directly, but a higher random port - not 80 or some standard port.


A password protection for HTTP control would be nice, also https (but i understand that it is all limited by 1M flash and normally its not needed in a home network).

P.S.: Is there a way to enable telnet to the device? Maybe i can install a SSL / SSH certificate and enable ssh by myself?

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests