• 10 dec 2017: forum version update. In case of issues use this topic.
  • 30 nov 2017: pilight moved servers. In case of issues use this topic.
Hello There, Guest! Login Register

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SMTP Password in web response
I just recognized that if you request the web URL .../config?media=all the whole configuration including the SMTP password is returned. This is in my opinion a real security issue as a gmail password should be secret and not exposed via web API.

What do you think about that?

I would say, that the security issue depends on your usage.
If you use the webgui only within your LAN and trust the other users and use that email account only for pilight, I would say, it is ok.

If you forward the webgui port to the internet and index your webgui on google, then it is definitively an security issue. But in this case you should think about, what else happens, if someone uses your switches by simply using the webgui.

The webserver-authentication should help you on that:
=webserver-authentication] webserver-authentication@pilight Wiki

I just tried it, but didn't succeed. I added the following line to my config:
"webserver-authentication": [ "aaa", "bbb" ],
After opening the pilight webgui, a dialog asks for username and password. But after entering username and a password, the dialog opens again and again.
Tested with pilight 7.0 on my Raspi 2

Please let me know if you succeed to use webserver-authentication.
Check the pilight manual:
I would say it is in general no good idea to expose a password with any service... And IMHO there is no use case where it is needed...
So it would be great if you could protect the SMTP password by masking it maybe with Xes.
@curlymo: thanks for that link, I only looked into the wiki and wasn't aware of the sha256 hash.

Possibly Related Threads...
Thread Author Replies Views Last Post
  smtp / solved Traeumer 7 704 08-21-2018, 08:47 PM
Last Post: curlymo
  sendmail - pilight terminates after smtp error wo_rasp 8 2,485 08-17-2016, 09:13 AM
Last Post: wo_rasp

Forum Jump:

Browsing: 1 Guest(s)