starred/motioneye
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneye.git synced 2026-03-02 22:57:06 -05:00
Code Issues 997 Projects Packages Wiki Activity

Exposing admin username in javascript could be a potential security risk #2098

New issue
Open
opened 2026-02-28 01:03:39 -05:00 by deekerman · 4 comments
deekerman commented 2026-02-28 01:03:39 -05:00
Owner
Copy link

Originally created by @developerfromjokela on GitHub (Dec 28, 2021).

Hello!
motionEye seems to expose admin username in its HTML as javascript variable.
I think this is a potential security risk for brute-force and/or dictionary attacks towards the login system.

What was/is purpose of keeping that variable in HTML?

Originally created by @developerfromjokela on GitHub (Dec 28, 2021). Hello! motionEye seems to expose admin username in its HTML as javascript variable. I think this is a potential security risk for brute-force and/or dictionary attacks towards the login system. What was/is purpose of keeping that variable in HTML?
deekerman commented 2026-02-28 01:03:43 -05:00
Author
Owner
Copy link

@G2G2G2G commented on GitHub (Feb 4, 2022):

This has nothing to do with brute force or dictionary attacks in any way.
data logging/sniffing/reading sure

@G2G2G2G commented on GitHub (Feb 4, 2022): This has nothing to do with brute force or dictionary attacks in any way. data logging/sniffing/reading sure
deekerman commented 2026-02-28 01:03:43 -05:00
Author
Owner
Copy link

@developerfromjokela commented on GitHub (Feb 4, 2022):

It has. If you don't expose your username, they cannot login even if they had correct password.

@developerfromjokela commented on GitHub (Feb 4, 2022): It has. If you don't expose your username, they cannot login even if they had correct password.
deekerman commented 2026-02-28 01:03:43 -05:00
Author
Owner
Copy link

@developerfromjokela commented on GitHub (Feb 4, 2022):

It makes that job easier

@developerfromjokela commented on GitHub (Feb 4, 2022): It makes that job easier
deekerman commented 2026-02-28 01:03:43 -05:00
Author
Owner
Copy link

@MichaIng commented on GitHub (Mar 18, 2022):

What was/is purpose of keeping that variable in HTML?

It is the way how it is passed from the backend to browser's JavaScript to check whether the current user is the admin user, to show/hide enable/disable certain GUI elements:

However, I agree this is not so awesome. The admin username cannot be changed via GUI, but at least manually via config file. Since it is not used anywhere else in the frontend, it makes more sense to pass an "isAdmin" flag instead of the name. Even smarter would be to apply an admin or non-admin class to admin-only HTML elements right with the backend to have them shown/hidden in the first place, without needing to toggle classes via JavaScript, making even passing this flag obsolete.

@MichaIng commented on GitHub (Mar 18, 2022): > What was/is purpose of keeping that variable in HTML? It is the way how it is passed from the backend to browser's JavaScript to check whether the current user is the admin user, to show/hide enable/disable certain GUI elements: - Set here via inline script, generated by backend: https://github.com/motioneye-project/motioneye/blob/c7d86c6/motioneye/templates/main.html#L89 - Used for this function in main JavaScript, executed in browser: https://github.com/motioneye-project/motioneye/blob/4249e44/motioneye/static/js/main.js#L398 However, I agree this is not so awesome. The admin username cannot be changed via GUI, but at least manually via config file. Since it is not used anywhere else in the frontend, it makes more sense to pass an "isAdmin" flag instead of the name. Even smarter would be to apply an admin or non-admin class to admin-only HTML elements right with the backend to have them shown/hidden in the first place, without needing to toggle classes via JavaScript, making even passing this flag obsolete.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
enh/handle-mpg
enh/editable-admin-name
dev
copilot/sub-pr-3273
enh/conversion-specifier
beta
sendmail
python2
0.43.1
0.43.1b5
0.43.1b4
0.43.1b3
0.43.1b2
0.43.1b1
0.42.1
0.42
0.41
0.41rc1
0.40
0.40rc5
0.40rc4
0.40rc3
0.40rc2
0.40rc1
0.39.3
0.39.2
0.39.1
0.39
0.38.1
0.38
0.37.1
0.37
0.37rc1
0.36.1
0.36
0.35.2
0.35.1
0.35
0.35rc1
0.34.1
0.34
0.34rc1
0.33.4
0.33.3
0.33.2
0.33.1
0.33
0.32.1
0.32
0.31.5
0.31.4
0.31.3
0.31.2
0.31.1
0.31
0.30
0.30rc2
0.30rc1
0.29.1
0.29
0.29rc2
0.29rc1
0.28.3
0.28.2
0.28.1
0.28
0.27.2
0.27.1
0.27
0.26
0.25.2
0.25.1
0.25
0.24
0.23
0.22
0.21
0.20
0.19
0.18
0.17
0.16
0.15
0.14
0.13
0.12
0.11
0.10
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
Android app

   
Arch Linux

   
CI/CD

   
CSS

   
FreeBSD

   
HTML/HTTP

   
Home Assistant addon

   
JavaScript

   
Python

   
Raspberry Pi

   
Stale No Activity 60 Days

   
bug

   
code format

   
dependencies

   
dev branch

   
docker

   
documentation

   
duplicate

   
enhancement

   
feature

   
help wanted

   
i18n/l10n

   
invalid

   
legacy motionEye

   
meta

   
motion

   
motionEyeOS

   
notourproblem

   
python update

   
question

   
question

   
security

   
troubleshooting

   
wontfix

   
wontfix
No labels
Android app
Arch Linux
CI/CD
CSS
FreeBSD
HTML/HTTP
Home Assistant addon
JavaScript
Python
Raspberry Pi
Stale No Activity 60 Days
bug
code format
dependencies
dev branch
docker
documentation
duplicate
enhancement
feature
help wanted
i18n/l10n
invalid
legacy motionEye
meta
motion
motionEyeOS
notourproblem
python update
question
question
security
troubleshooting
wontfix
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/motioneye#2098
No description provided.