Need extra user for MJPEG with Basic auth!


#1

For the stream/mjpeg auth we absolutely need at least one additional user. Right now only the admin credentials are possible with full editing rights. Instead we need a another read/video only user!

Uncomfortable workaround: Run “cvlc -R” on a server to remove or change the authentication.

So, with “Basic” auth enabled in fw 1.0.3.34, I am now indeed able to access the URL below directly in a web browser - yeah! :grinning:

https://admin:password@IP_address/jpeg/mjpeg.html
https://admin:password@IP_address/jpeg/view.html.

The configuraton for stream 1 appears to determine the MJPEG resolution.
Note: The MJPEG stream actually calls https://IP_address/snapshot/view0.html
Be aware: Check if you have set the web UI to https or http.


#2

I really like the the progress I see in the GDS firmware! And Grandstream listens to the customers!

But we really need an option to turn off authentication (come on Grandstream, many users are using this at home! No authentication is ok there) and/or more user accounts.

Right now I cannot link to the pictures/stream because it contains the admin password!

If I can make a wish please add the options of “no authentication” and digest based authentication (https://en.m.wikipedia.org/wiki/Digest_access_authentication) if you cannot add more users - digest could use the admin user and password without exposing it.


#3

And 5 months later, with the latest firmware, we only have one user, the admin, too :-(((

It is a very serious security problem, the two basic functionality (setting up the device and using the device) must be separated by login access. If I give the URL to somebody to view the video stream, I have to give the root rights too? Noway.


#4

Have you tried “Anonymouse” mode in the latest firmware 1.0.5.2? Please upgrade to this version and check out the Release Note: http://firmware.grandstream.com/Release_Note_GDS3710_1.0.5.2.pdf

Please advise whether this works for you. Thank you for using GDS3710.


#5

Yes I tried, but it only works for some browsers, mostly MSIE (who the earth uses MSIE? brrr… :-)) and uses the outdated OCX technology instead of HTML5. I need a http or rtsp (mjpeg) stream, with no ‘root’ access. I’d like to use it in VLC (or other video app), or “IPCam Viewer Basic” on Android.


#6

Got the complains already, will address this in next firmware release (1.0.5.3?).
Please keep tuned. Thanks!


#7

So, been playing with this for a bit because I need to have a webpage display the stream. The key part here is if you get the cookies upon successful login, you can copy them to any other browsers, no login needed, YES you need to make sure the cookies EXPIRY are set to a long time away (ex: 2099) then just go to the https://ip_addr/jpeg/mjpeg.html and it will auto-login and start! Here is some more stuff I learned using the mjpeg.html/mjpeg.js files…

  1. get ChallangeCode
    https://IP_ADDR/goform/login

    REQUEST (POST)
    cmd=login
    user=admin
    type=1

    RESPONSE

    <?xml version="1.0" encoding="UTF-8" ?> 0 b62006e5bd1b6fe3737bec5456ad41d0 OK
  2. Calculate MD5 with Challenge Code returned above
    MD5( ChallengeCode:GDS3710lZpRsFzCbM:password )
    Example MD5( b62006e5bd1b6fe3737bec5456ad41d0:GDS3710lZpRsFzCbM:LSPBQut8 )

    REQUEST
    Header of If-Modified-Since=0
    https://10.1.1.48/goform/login?cmd=login&user=admin&authcode=f40324f4a7de86e972edf40bfd17ef06&type=1       
    
    RESPONSE
    <?xml version="1.0" encoding="UTF-8" ?>
    <Configuration>
       <ResCode>0</ResCode>
       <RetMsg>OK</RetMsg>
    </Configuration>
    
    SAVE COOKIES
    mjpeg_sess=f40324f4a7de86e972edf40bfd17ef06
    mjpeg_uname=admin
    mjpeg_level=1
    

After this it will load up