Avatar
Please consider registering
Guest
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Register Lost password?
sp_Feed sp_TopicIcon
SmartPSS limited user security issue
sp_NewTopic Add Topic
Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
1
October 12, 2015 - 1:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

I just found an issue with the SmartPSS remote viewing software that I hope someone has a fix for.

We have a 64 channel NVR, which has cameras connected from different areas/businesses on property.

We want to limit the managers of the different businesses to view the cameras only for their own area. To do that, we have created groups that only include playback and view on the correct cameras. None of the managers have Account access to add or delete users.

When accessing the system through the webGUI, the system functions as expected. When attempting to access a restricted camera, they get the message "You have no right". When they click the Setup, the account section is not listed (as expected)

BUT when the same user logs in through the SmartPSS software, they are able to see ALL cameras. Even worse, when they go to Device Manage, they can add/delete/modify users. The software itself says "account modify failed", but it doesn't actually fail, the changes made do take effect.

I hope that there is just a box that we haven't checked or possibly a firmware update, as this seems to be a pretty big security hole. Our current firmware is

Avatar
Guest
Guest
Guests
2
October 12, 2015 - 1:44 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Hello,

 

This could be "hole" to be sure though when the user uses smart pss. Are they using the account you set them up with to log in to the nvr?

Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
3
October 12, 2015 - 6:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Yes, they are using the account I set up for them to log into both the webGUI of the NVR, and to connect the NVR as a device in SmartPSS.

I have tested with several other accounts which should also be limited, and they also are able to view all cameras and access the accounts section through SmartPSS, but not through the webGUI.

We have another client with a hybrid analog/IP NVR that we also purchased from you, and it does NOT have the same problem. The limited users on that system are still limited in SmartPSS. The firmware on that system is

Forum Timezone: America/New_York
Most Users Ever Online: 233
Currently Online:
Guest(s) 12
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Techpro Security: 404
shockwave199: 179
tubac: 167
Jer7of9: 154
Gilberto: 150
MrDeepFreeze: 136
Night Hawk: 100
Mark: 79
West Coast Jones: 66
ShawnInFL: 64
Newest Members:
BadSantakhg
XLR_Security
cmillerGS
cecilgj11
zmnako
edastone
BadSantaybz
emmettjo
Raj1997
SpaGuru
Forum Stats:
Groups: 5
Forums: 28
Topics: 1473
Posts: 5962

 

Member Stats:
Guest Posters: 134
Members: 22462
Moderators: 7
Admins: 5
Administrators: Damon Delcoro, Brad Besner, Jose Malave, Damon Delcoro, Tony Petruzzi
Moderators: Zeke Richey, Eric Wilson, Yarden Pinhasi, Joe Shopsin, jwilhelmi, Jorge Nava, Tyler Rittel