Open rnbguy opened 3 years ago
I was trying to implement password-protected rooms and I noticed, you promote users to admin a bit insecurely.
https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/components/Chat.vue#L87-L108 https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/io/index.js#L70-L74
I am not a Nodejs expert. but it seems, from the client-side, if someone injects calls for isAdmin and setAdmin without authentication, they can gain admin power.
isAdmin
setAdmin
Nonetheless, thanks for this awesome software.
I was trying to implement password-protected rooms and I noticed, you promote users to admin a bit insecurely.
https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/components/Chat.vue#L87-L108 https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/io/index.js#L70-L74
I am not a Nodejs expert. but it seems, from the client-side, if someone injects calls for
isAdmin
andsetAdmin
without authentication, they can gain admin power.Nonetheless, thanks for this awesome software.