search

senecajs / seneca-auth

A Seneca user authentication plugin for Hapi and Express
http://senecajs.org
MIT License
33 stars 29 forks source link

Various security issues with POST /auth/update_user #102

Open indr opened 8 years ago

indr commented 8 years ago
  1. It doesn't care about authentication
  2. It let's you therefore about every user (providing orig_email or orig_nick)
  3. It updates passwords (even from other users, because 1. and 2., but you have to supply repeat)