NVR Flaw more words of Caution.

Have some questions or having issues with your DVR/NVR(s), Post them here for the mods and other users to assist you with.
Post Reply
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

NVR Flaw more words of Caution.

Post by Revo2Maxx »

So I have been doing loads of testing on my own and have come up with another part that I thought I should mention. In the past I found on my 2116-HS that if you setup a second admin account and removed a channel from the line up it would make it so they no longer had access to Zero Channel in the Amcrest View Pro app. However I just found out tonight with some more testing that I am doing on my own for my own, Found that the flaw in still in the WebUI. please see pictures below..

Also something I feel needs to be addressed. Taking away the Maintenace for the new Admin is needed if you have a 4108(E)-HS, 4116(E)-HS 2116-HS or any of the ones that says turn off device if you shut it down. Like my 4216E-AI when you shut down it goes off. However all the others listed and any others that I have not had in font of me that after you shut it down on GUI it says to remove power. Doing so will keep that user from Shutting down by remote.. See Pictures below..

Picture of Admin with 1 ch out of the line up first 2 pictures show option removed and in WebUI still able to see what is going on in the NVR even menu and anything that you thought was only seen at the NVR's GUI it is passed even with 1 channel removed this is HIGH Security Risk give Admin account access with Caution...
Screenshot (1815).png
Screenshot (1815).png (74.3 KiB) Viewed 1306 times
Screenshot (1817).png
Screenshot (1817).png (496.08 KiB) Viewed 1306 times
Screenshot (1816).png
Screenshot (1816).png (83.49 KiB) Viewed 1306 times
Screenshot (1818).png
Screenshot (1818).png (511.43 KiB) Viewed 1306 times
Here to help the best I can.
Be Safe
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

Re: NVR Flaw more words of Caution.

Post by Revo2Maxx »

Also thought I would mention something that I Don't feel should happen either and that is..

In my 4116E-HS I just made a revo2maxx account for the first time since I reset it last week. I logged on and went to live, I then pressed the Preview Recover button and it loaded the 4 below with Grid setup and personally there is no need for it to take the last setup view of a different user and post it in the WebUI.

So Doing some more testing. I did find out some interesting things.. However it don't seem to solve the issue either... So as I was typing that I wanted to look something so I clicked 16 picture grid and all of them went blank on WebUI but I could see they were there. So I thought ok that is odd I pressed the X for Live View to bring up a fresh window and all the Zero Channel items on the right bottom was gone I was like OK it worked it is gone. However I changed the 16ch VIew off in the NVR back to 4ch , in the WebUI I refreshed the live view window and all the stuff came back for Zero Channel view again.. SO I thought Ok lets try removing Ch4 only no 8 only no 12 only no then did all 4, 8 12, 16 and still didn't take away the Zero Ch view and if I turn on Grid and GUI goes menu it still shows however if I go 16ch view and the WebUI Exits while still in Grid 16ch view the WebUI for live view will not return the Zero channel view and doing the Preview Recover don't return the view either..

Now to try and find a CGI that might be able to turn off the Zero Channel VIew as a Work around. GaryOkie If you happen to Read you know of any CGI that might disable the Zero Channel?
Here to help the best I can.
Be Safe
GaryOkie
Posts: 418
Joined: Mon Apr 27, 2020 7:23 pm

Re: NVR Flaw more words of Caution.

Post by GaryOkie »

No sorry - the API/CGI manual does not mention anything about it. The guide is all camera-related, nothing in there about NVR-specific settings. My Dahua NVR doesn't have a "zero channel" setting, but I know some NVR's do. I read the option to toggle zero channel is in the NVR UI (web or local) under SYSTEM/ DISPLAY settings.
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

Re: NVR Flaw more words of Caution.

Post by Revo2Maxx »

@GaryOkie Thank you, I didn't think there was I looked in many different formats from as far back as 2011 and some even related to Foscam even though they are no longer part of Foscam thought maybe there might be a command or something that might have fell though. No luck either lol About a Switch only one I have that has a Switch I can get to from GUI and WebUI both to be honest is the better secure device between all the 4.0 software devices. I can turn that off, The DVR with it on will not show menus, password or anything outside of Video feeds and that is how it should be. I personally like the ability to have Zero Channel. I like that it offers things that other devices without it won't.. However I don't want someone to read my first post some time last year about Zero Channel showing things in AVP that others shouldn't see. When I didn't ever look at the WebUI and the NVR or DVR at the same time to see the option to the right that I thought just worked like one of my OLD DVR's from many moons ago that offers that feature. However in the DVR of 2014 from Dahua, and my Amcrest 2020 AI DVR both of them have cool multi channel to 1 however no menu or even mouse movements can't been seen. So yes when I seen the 4.0fw recorders had that I thought very nice. However I didn't know it had the issue related to the mouse, menu and all can be seen... Also to make it worse, Making a second Admin account because it is the right thing to do, and maybe you don't want them to see everything that you are doing on the Main Admin of adding cameras, changing passwords in SMTP, FTP, or any of the camera details it all transmits to their view just like they are doing it themself.
Here to help the best I can.
Be Safe
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

Re: NVR Flaw more words of Caution.

Post by Revo2Maxx »

So there is MORE!!! Sorry to say however I feel it needs to be said..

On 4116E-HS, and other within the same group (HS) and H5 I would guess as well I don't have a (H5) and might be all devices..
On 4216E-AI as well, tested this.. I am not going to Delete all my devices just to test out other accounts on my devices..
On 1046EW-AI as well tested..

Setting up a Second Admin account with it's own password and name. Even taking away Maintenance so the person if logged in over WebUI can't turn off the Recorder by Remote... There is another HUGE Flaw found using Amcrest View Pro App.

When you log in the is new User on the AVP click the gear in the screen right under the main view window, scroll all the way down to the bottom where it says Email Server settings. You click that and now not only do they know the email it is being sent to They now know your Email Password and that FLAW is in my mind one of the Largest.

So your asking your self well why not try all your Devices Well, Takes to long and I do all I do as a Hobby to try and help out others. Just takes to long to remove and add back as a new user that I have to add to the Device first lol.. I mean yeah sure if this was a paid job then it would be part of my Job.. I am sure I will check more just because I might feel the want or need in the future lol

So maybe your asking yourself how do I know it should not work this way?

Well in Truth there was another Machine I did test it on, My 7108-AI DVR, I added the same user (revo2maxx) and same password same level of access as all the other Admin and when I click that button sure I get the email it is being sent to However if I click the little eye for the password I get ****** Stars That is much better then the system showing me my Password..

The others listed above clicking the Eye shows the Password..

Now just because I like to make sure I cover everything. I did test a user account on the 4216E-AI and I guess seeing it works as expected (No admin features or any settings) I guess that is how a normal user on all the machines would work. As normal user account it don't show anything

HOWEVER MAJOR FLAW is even on user account however if they look at Zero Channel they can watch everything you do on your NVR even adding cameras, users, settings up email FTP and anything done will be transmitted to the user account over AVP in the app. that is worse then just a NORMAL ADMIN..

To me this makes it so there should be no other accounts made and use these devices as single user access machine only...

Be Safe.
Here to help the best I can.
Be Safe
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

Re: NVR Flaw more words of Caution.

Post by Revo2Maxx »

Ok Thought I would update this some.

So after loads of testing and found out some info that might be helpful and might get an update that cures this issue for ones that don't have Matrix I just hope they disable the Zero Channel issue. Personally I don't mind the use of having the access to Zero Channel. What I do mind is that I can see what is going on within the Devices.. This is VIA WebUI, ASP, and AVP..

I spent some time and after reading it just didn't make enough sense to me and I was the one writing it so I know it would most likely confuse others that would be reading it so I made a Video to explain and this might be something that other devices have right now and what they can do to secure the recorder.

https://youtu.be/MUXMITtp09o

Screenshot (2968).png
Screenshot (2968).png (293.13 KiB) Viewed 872 times
Here to help the best I can.
Be Safe
Post Reply