Avatar

Please consider registering
Guest

Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

Register Lost password?
sp_Feed sp_TopicIcon
SmartPSS limited user security issue
sp_NewPost Add Reply sp_NewTopic Add Topic
Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
1
October 12, 2015 - 1:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

I just found an issue with the SmartPSS remote viewing software that I hope someone has a fix for.

We have a 64 channel NVR, which has cameras connected from different areas/businesses on property.

We want to limit the managers of the different businesses to view the cameras only for their own area. To do that, we have created groups that only include playback and view on the correct cameras. None of the managers have Account access to add or delete users.

When accessing the system through the webGUI, the system functions as expected. When attempting to access a restricted camera, they get the message “You have no right”. When they click the Setup, the account section is not listed (as expected)

BUT when the same user logs in through the SmartPSS software, they are able to see ALL cameras. Even worse, when they go to Device Manage, they can add/delete/modify users. The software itself says “account modify failed”, but it doesn’t actually fail, the changes made do take effect.

I hope that there is just a box that we haven’t checked or possibly a firmware update, as this seems to be a pretty big security hole. Our current firmware is

Avatar
Dan Maresca
Member
Members
Forum Posts: 460
Member Since:
March 27, 2013
sp_UserOfflineSmall Offline
2
October 12, 2015 - 1:44 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Hello,

 

This could be “hole” to be sure though when the user uses smart pss. Are they using the account you set them up with to log in to the nvr?

Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
3
October 12, 2015 - 6:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Yes, they are using the account I set up for them to log into both the webGUI of the NVR, and to connect the NVR as a device in SmartPSS.

I have tested with several other accounts which should also be limited, and they also are able to view all cameras and access the accounts section through SmartPSS, but not through the webGUI.

We have another client with a hybrid analog/IP NVR that we also purchased from you, and it does NOT have the same problem. The limited users on that system are still limited in SmartPSS. The firmware on that system is

Forum Timezone: America/New_York

Most Users Ever Online: 132

Currently Online:
28 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Dan Maresca: 460

Techpro Security: 404

shockwave199: 179

tubac: 166

Gilberto: 150

Jer7of9: 150

MrDeepFreeze: 136

javajeff: 132

Night Hawk: 100

West Coast Jones: 66

Newest Members:

HildaAxops

Teodororevob

tammient1

RobertErync

BurtonKen

Stevenkep

JonahUterB

Davidoptib

Lancecauri

Luke9270

Forum Stats:

Groups: 5

Forums: 28

Topics: 1325

Posts: 5608

 

Member Stats:

Guest Posters: 90

Members: 8474

Moderators: 13

Admins: 4

Administrators: Damon Delcoro, Brad Besner, Jose Malave, Gabe Garcia

Moderators: Ryan, Zeke Richey, Jorge Nava, Heath Phillips, Brian Lee, Eric Wilson, Michael, Tonya Haley, LittleBrad, Ted, Matthew Ernst, Ariel Millard, Ben Degraw