10% Off All Orders + Free Shipping
Use Coupon Code Joy2017
Hurry! Sale Ends 12/31/17
Avatar

Please consider registering
Guest

Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

Register Lost password?
sp_Feed sp_TopicIcon
SmartPSS limited user security issue
sp_NewPost Add Reply sp_NewTopic Add Topic
Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
1
October 12, 2015 - 1:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

I just found an issue with the SmartPSS remote viewing software that I hope someone has a fix for.

We have a 64 channel NVR, which has cameras connected from different areas/businesses on property.

We want to limit the managers of the different businesses to view the cameras only for their own area. To do that, we have created groups that only include playback and view on the correct cameras. None of the managers have Account access to add or delete users.

When accessing the system through the webGUI, the system functions as expected. When attempting to access a restricted camera, they get the message “You have no right”. When they click the Setup, the account section is not listed (as expected)

BUT when the same user logs in through the SmartPSS software, they are able to see ALL cameras. Even worse, when they go to Device Manage, they can add/delete/modify users. The software itself says “account modify failed”, but it doesn’t actually fail, the changes made do take effect.

I hope that there is just a box that we haven’t checked or possibly a firmware update, as this seems to be a pretty big security hole. Our current firmware is

Avatar
Dan Maresca
Moderator
Guests

Members

Moderators
Forum Posts: 460
Member Since:
March 27, 2013
sp_UserOfflineSmall Offline
2
October 12, 2015 - 1:44 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Hello,

 

This could be “hole” to be sure though when the user uses smart pss. Are they using the account you set them up with to log in to the nvr?

Avatar
CFox_MerIT
Member
Members
Forum Posts: 8
Member Since:
March 31, 2015
sp_UserOfflineSmall Offline
3
October 12, 2015 - 6:08 pm
sp_Permalink sp_Print sp_QuotePost
sp_ReportPost

Yes, they are using the account I set up for them to log into both the webGUI of the NVR, and to connect the NVR as a device in SmartPSS.

I have tested with several other accounts which should also be limited, and they also are able to view all cameras and access the accounts section through SmartPSS, but not through the webGUI.

We have another client with a hybrid analog/IP NVR that we also purchased from you, and it does NOT have the same problem. The limited users on that system are still limited in SmartPSS. The firmware on that system is

Forum Timezone: America/New_York

Most Users Ever Online: 127

Currently Online:
27 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Techpro Security: 404

shockwave199: 179

tubac: 163

Gilberto: 150

MrDeepFreeze: 135

javajeff: 132

Jer7of9: 129

Night Hawk: 98

West Coast Jones: 66

ShawnInFL: 64

Newest Members:

ThomasSok

BladecliffAdorunund

manuelln16

DentalBib

BoberModAdorunund

StevenSoono

Waisher

KoskrymOperm

haleypg60

Loablerw

Forum Stats:

Groups: 5

Forums: 28

Topics: 1199

Posts: 5272

 

Member Stats:

Guest Posters: 62

Members: 5660

Moderators: 15

Admins: 4

Administrators: Damon Delcoro, Brad Besner, Jose Malave, Gabe Garcia

Moderators: Dan Maresca, Ryan, Zeke Richey, Jorge Nava, Matthew Ernst, LittleBrad, Heath Phillips, Tonya Haley, Dan Millard, Eric Wilson, Brian Lee, Michael, Ted, mwhite, Julius Dilka