search

kbr / fritzconnection

Python-Tool to communicate with the AVM Fritz!Box by the TR-064 protocol and the AHA-HTTP-Interface
MIT License
304 stars 59 forks source link

Authorized without valid password #102

Closed AlexisTM closed 2 years ago

AlexisTM commented 3 years ago

Some information that I expect to be protected is available with an invalid password.

alexis@Kalexis:~$ fritzstatus -p NotThePAssword

fritzconnection v1.5.0
FRITZ!Box 7490 at http://169.254.1.1
FRITZ!OS: 7.27

FritzStatus:

    is linked             : True
    is connected          : True
    external ip (v4)      : --redacted--
    external ip (v6)      :  --redacted--
    internal ipv6-prefix  :  --redacted--
    uptime                : 139:48:38
    bytes send            : 3122439308
    bytes received        : 47792901963
    max. bit rate         : ('29.4 MBit/s', '68.1 MBit/s')
alexis@Kalexis:~$ fritzhosts -p NotThePAssword

fritzconnection v1.5.0
FRITZ!Box 7490 at http://169.254.1.1
FRITZ!OS: 7.27

FritzHosts:
List of registered hosts:

  n: ip               name                         mac                 status
--redacted real values-
kbr commented 3 years ago

That's not a security issue – even if it looks like one: the fritzstatus tool requires a password, but the services called on FritzOS don't need an authentification. Therefore the password is ignored. May be the password check should get removed to avoid confusion.

AlexisTM commented 2 years ago

I was indeed confused due to the mandatory password. Let's close this then :)