We have moved at community.getvera.com

Author Topic: Security flaw at cp.mios.com  (Read 4858 times)

Offline autotoronto

  • Full Member
  • ***
  • Posts: 190
  • Karma: +0/-0
Security flaw at cp.mios.com
« on: December 28, 2011, 10:36:53 pm »
This service went down at least once this morning, and on two occasions forty minutes apart fed my iPhone a nice error page with php warnings revealing the file system architecture in use.

The kids running this system need to look here: http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors, I think.
Or maybe they need to ask their ISP helpdesk, or their Mommas, or something.

Are we really expected to trust these clowns with the security of our homes? This is basic, beginner-level web security, and they can't even get that right.

See the redacted image attached.

I am so angry at this incompetence I am fit to burst.



Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Security flaw at cp.mios.com
« Reply #1 on: December 29, 2011, 06:16:43 am »
Seems fairly easy to make happen as well.

In my case, I simply login to cp.mios.com, navigate to my Vera3, then go back to cp.mios.com and these errors come out all over the place.


PS: Moved to the Security sub-forum, as it was specifically built to cover this type of posting so that folks like @CJ could see them..

Offline pgrover516

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 1013
  • Karma: +0/-0
Re: Security flaw at cp.mios.com
« Reply #2 on: December 29, 2011, 02:03:04 pm »
Easily repeatable, just use cp.mios to logon to vera3 then go back, also loggong out of v3 doesnt go all the way out, even after a ctrl+F5 you can see all your devices
V1,V2,V3,VLite,Express Controls HSM-100,Intermatic HA20C, HA04C,HA02C,HA09, Leviton VRP15-1LW, VRS15-1LX,Home Manageables HM-TS001,Schlage FE599, Schlage BE369, Cooper RF9500, Aeon Labs Minimote, Schlage TZEMT400AB32MAA+more

Offline mcvflorin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1755
  • Karma: +11/-3
Re: Security flaw at cp.mios.com
« Reply #3 on: January 06, 2012, 07:34:57 am »
@autotoronto

No need to redact that image. The messages displayed don't reveal anything critical. The errors are related to the multi-language implementation of MiOS/cp, which is not fully completed yet. We are aware of the issues mentioned here and we are working to fix them.

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Security flaw at cp.mios.com
« Reply #4 on: January 06, 2012, 09:12:03 am »
Is there a bug# for tracking purposes?

Offline autotoronto

  • Full Member
  • ***
  • Posts: 190
  • Karma: +0/-0
Re: Security flaw at cp.mios.com
« Reply #5 on: January 06, 2012, 09:22:34 am »
This is a management issue, not a technical one, so this is the wrong place. But if you're making tenth grade errors like this, the point is, what else are you doing wrong?

EDIT: more crappy, careless security, here:

Quote
Ooops.  Yeah when we did the flash-based UI the coder was in Ukraine.  I'll bet he added them a long time ago and we forgot about them.
at http://forum.micasaverde.com/index.php/topic,8042.0.html

Evidence of no company security policy, no auditing, no importance given by management to this, letting the techs just "do their thing".

Wait until there's a burglary or home invasion which is traced to your laxity and you guys get hauled up in court by the insurers. Your asses are going to be toast, trust me.
« Last Edit: January 06, 2012, 09:44:21 am by autotoronto »

Offline mcvflorin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1755
  • Karma: +11/-3
Re: Security flaw at cp.mios.com
« Reply #6 on: January 06, 2012, 09:44:33 am »
Is there a bug# for tracking purposes?

None that I know of.

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Security flaw at cp.mios.com
« Reply #7 on: January 06, 2012, 10:12:14 am »
@mcvflorin,
Given it's a Security problem to display file-based paths of your implementation, and that a few people are going to want to "track" this to completion, it would make sense for this to have a tracking bug.

You've done this for a few other postings in the system, and it makes sense to have one for anything that's indicated as "we know about this, and are working on it" so they don't fall out of the loop.

In this case, someone "aware" of the internals who is also able to find a hole in any of the PHP code written, can often do bad things...  It's been used over and over to create very interesting security loopholes (often well publicized, with significant negative press)

Offline mcvflorin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1755
  • Karma: +11/-3
Re: Security flaw at cp.mios.com
« Reply #8 on: January 06, 2012, 11:15:16 am »
@guessed

You're right. The reason I didn't want to submit a bug in Mantis was that this issue was to be solved immediately, but as it turned out it will be fixed on Monday. So here it is: http://bugs.micasaverde.com/view.php?id=2040

Offline Ap15e

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 1998
  • Karma: +12/-0
Re: Security flaw at cp.mios.com
« Reply #9 on: January 08, 2012, 11:32:15 am »
Quote
Your asses are going to be toast, trust me.

I don't think so:

http://forum.micasaverde.com/index.php/topic,4261.msg26875.html#msg26875