Radium icon indicating copy to clipboard operation
Radium copied to clipboard

Insecure admin promotion

Open rnbguy opened this issue 4 years ago • 0 comments

I was trying to implement password-protected rooms and I noticed, you promote users to admin a bit insecurely.

https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/components/Chat.vue#L87-L108 https://github.com/Zibbp/Radium/blob/4a2fdd444285e479dbb9f09dd61f12203d23351a/io/index.js#L70-L74

I am not a Nodejs expert. but it seems, from the client-side, if someone injects calls for isAdmin and setAdmin without authentication, they can gain admin power.

Nonetheless, thanks for this awesome software.

rnbguy avatar Dec 28 '20 13:12 rnbguy