Reply
New Member
Posts: 23
Registered: ‎03-14-2018
Kudos: 7

Hotspot URL parameters changed - security change?

Hi All,

 

We're having reports from our customers that have upgraded to 5.10.10+ that the guest portal redirect we use is no longer working.

 

Having reviewed a number of support tickets from them, we can see that the URL parameters that used to be passed to the initial hotspot redirect URL have been removed. Instead, a new parameter "ec" has been added which is some long encoded string.

 

As an example. we normally expect to see this:

 

http://x.x.x.x:8880/guest/s/g8lja8ch/?ap=aa:bb:cc:dd:ee:ff&id=11:22:33:44:55:66&t=1549737758&url=http://connectivitycheck.gstatic.com%2fgenerate_204&ssid=blah

 

But now, we're seeing this:

 

http://x.x.x.x:8880/guest/s/g8lja8ch/?ap=aa:bb:cc:dd:ee:ff&ec=2d4kMa0G18VWg73xHV5rxqdZIghze1LLg1roq0UG2JPHpKIYgKUdKnIC3WAsU1oiRbyyDBb0IH9NetQhzZdeHVlHtd7xfAP8ufJT__uPy3UaG0dWx2QSxbQp4OA5Wfz8J5UX67WWkVJ-VunDBIue5OCE0JUsAfs_w2pMBmVFeEC5G860rc8C9G1NRF43IoFI


Note the parameters "id" and "ssid" etc are gone and have been replaced with this new "ec"
 parameter.

 

Does anyone know what this is and how to decode it to get the parameters back, or is there a setting on the controller to go back to the original behaviour?

 

I note this line in the release notes but not sure if it's related - can more info be provided?

 

-Security improvement for guest authentication.

 

P.S. I tested 5.10.12 in my lab and its still giving me the normal parameters, but we have 5+ different customers reporting the above so there is definately something changed.

 

Thanks very much!

 

James

Senior Member
Posts: 23,586
Registered: ‎08-04-2017
Kudos: 4470
Solutions: 1160

Re: Hotspot URL parameters changed - security change?

Hello @james-wood,

 

This has been fixed on 5.10.17

You can use my Easy Update Script to update the controller on Linux Machines.

 

 

Regards,
Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 23
Registered: ‎03-14-2018
Kudos: 7

Re: Hotspot URL parameters changed - security change?

Ah, right - thanks.

 

Did it start in 5.10.10 or some other version as my 5.10.12 works fine!

 

Do you know what happened or why?

 

Thanks!

 

James

Senior Member
Posts: 23,586
Registered: ‎08-04-2017
Kudos: 4470
Solutions: 1160

Re: Hotspot URL parameters changed - security change?

Hello @james-wood,

 

Not aware what caused it, but 5.10.17 fixed the issues Man Happy

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 23
Registered: ‎03-14-2018
Kudos: 7

Re: Hotspot URL parameters changed - security change?

We've had a few customers upgrade to 5.10.17 and they're reporting the same. Is there some cache or other setting that might need to be changed to restore the old behaviour?

 

Are there any release notes particular to this bug?

 

Thanks!

Senior Member
Posts: 23,586
Registered: ‎08-04-2017
Kudos: 4470
Solutions: 1160

Re: Hotspot URL parameters changed - security change?

Hello @james-wood,

 

Read the release posts of 5.10.17

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 23
Registered: ‎03-14-2018
Kudos: 7

Re: Hotspot URL parameters changed - security change?

I did, but all it says is a very vague "Fix external guest portal cookies" - I didn't think this issue is anything to do with cookies...

 

Thanks

 

James

Senior Member
Posts: 23,586
Registered: ‎08-04-2017
Kudos: 4470
Solutions: 1160

Re: Hotspot URL parameters changed - security change?

Hello @james-wood,

 

Did you upgrade?

Force provision the UAPs?

 

I have quite a few clients running the guest portal without any issues on 5.10.17

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 23
Registered: ‎03-14-2018
Kudos: 7

Re: Hotspot URL parameters changed - security change?

We've got customers who after upgrading to .17 and their AP's too, its still passing the "ec" parameter - can this be checked?

 

I can't replicate it on my own controller (same version) which is strange.

 

Thanks!

Senior Member
Posts: 23,586
Registered: ‎08-04-2017
Kudos: 4470
Solutions: 1160

Re: Hotspot URL parameters changed - security change?

Hello @james-wood,

 

Try to restart the controller and UAPs.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
Reply