Radium
Radium copied to clipboard
Insecure admin promotion
I was trying to implement password-protected rooms and I noticed, you promote users to admin a bit insecurely.
https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/components/Chat.vue#L87-L108 https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/io/index.js#L70-L74
I am not a Nodejs expert. but it seems, from the client-side, if someone injects calls for isAdmin
and setAdmin
without authentication, they can gain admin power.
Nonetheless, thanks for this awesome software.