Avatar
Please consider registering
Guest
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Register Lost password?
sp_Feed sp_TopicIcon
SmartPSS limited user security issue
sp_NewTopic Add Topic
Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
1
October 12, 2015 - 1:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

I just found an issue with the SmartPSS remote viewing software that I hope someone has a fix for.

We have a 64 channel NVR, which has cameras connected from different areas/businesses on property.

We want to limit the managers of the different businesses to view the cameras only for their own area. To do that, we have created groups that only include playback and view on the correct cameras. None of the managers have Account access to add or delete users.

When accessing the system through the webGUI, the system functions as expected. When attempting to access a restricted camera, they get the message “You have no right”. When they click the Setup, the account section is not listed (as expected)

BUT when the same user logs in through the SmartPSS software, they are able to see ALL cameras. Even worse, when they go to Device Manage, they can add/delete/modify users. The software itself says “account modify failed”, but it doesn’t actually fail, the changes made do take effect.

I hope that there is just a box that we haven’t checked or possibly a firmware update, as this seems to be a pretty big security hole. Our current firmware is

Avatar
Dan Maresca
Member
Members
Forum Posts: 460
Member Since:
March 27, 2013
sp_UserOfflineSmall Offline
2
October 12, 2015 - 1:44 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Hello,

 

This could be “hole” to be sure though when the user uses smart pss. Are they using the account you set them up with to log in to the nvr?

Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
3
October 12, 2015 - 6:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Yes, they are using the account I set up for them to log into both the webGUI of the NVR, and to connect the NVR as a device in SmartPSS.

I have tested with several other accounts which should also be limited, and they also are able to view all cameras and access the accounts section through SmartPSS, but not through the webGUI.

We have another client with a hybrid analog/IP NVR that we also purchased from you, and it does NOT have the same problem. The limited users on that system are still limited in SmartPSS. The firmware on that system is

Forum Timezone: America/New_York
Most Users Ever Online: 233
Currently Online:
Guest(s) 11
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Dan Maresca: 460
Techpro Security: 404
Heath Phillips: 261
shockwave199: 179
tubac: 166
Jer7of9: 151
Gilberto: 150
MrDeepFreeze: 136
javajeff: 132
LittleBrad: 103
Newest Members:
RobertRindy
Francisprurb
MilenaDom
FelixEncub
Fpernnkizx
KennethPaync
DustinTeark
Andrewsix
gabrielcs2
JustinKat
Forum Stats:
Groups: 5
Forums: 28
Topics: 1449
Posts: 5914

 

Member Stats:
Guest Posters: 130
Members: 20394
Moderators: 9
Admins: 5
Administrators: Damon Delcoro, Brad Besner, Jose Malave, Damon Delcoro, Tony Petruzzi
Moderators: Zeke Richey, Eric Wilson, Yarden Pinhasi, Aldino Frassinelli, Joe Shopsin, Joe Reffit, jwilhelmi, Jorge Nava, Tyler Rittel