We all know mellotrainer has a giant flaw, right? right? Well, if you didn’t, you do now.
Recently i found out you can easily open mellotrainer even if not at all permitted, its probably been done before, but I’ve not found anything about it.
Basically, by using the CEF devtools that FiveM allows, you can easily open up the menu and use every option (Even admin options! *waaaaaat*) which is a massive issue. The GitHub and forum post has already been removed, however there’s quite a lot of servers still running mello trainer.
Worst part it, although it is unsupported and nowhere to be found, it still has ~300 servers with it running!
I have an idea for resolving this issue:
Remove Mellotrainer from your server as it really isn’t safe and use no trainer/something which is much safer e.g @Vespura’s vMenu, which also contains tons of customization and checks against attempts to trigger admin events
Now, please tell as many people you know who use mello to stop using it. Lets try drop that count from 300, as that’s 300 vulnerable servers who could easily prevent such an issue from happening.
Agreed, its not just localised to mellotrainer specifically, im sure there are dozens of resources which could have issues like this, however so far im sure this is the most dangerous of them, seeing as you can kick and even BAN people.
Uuuum are you the the people joining random servers and kicking people just to prove your point? I saw IllusiveTea with IceHax joining random servers exploiting this.
If a user can exploit a trainer isn’t that a sign that you should remove it? Clearly the trainer has flaws (as mentioned in the OP) that can be used to affect a server negatively and cause a great impact.
vMenu would be the superiour menu to use. MelloTrainer has been discontinued by the developer and is per definition not safe for usage on public servers (since it does not use the builtin ACL).
If you are on about scripthook stuff then just no. This is directed more specifically at basically being able to use a “server-side trainer” and bypassing any sort of restrictions the owners/copycats (same thing) put in place on it.
esx_spectate is not bugged, is coded so you can see it even if you are a user but you can change it in client\main.lua .
Go to line 230 and change the function from there with this one
Citizen.CreateThread(function()
while true do
Wait(0)
if IsControlJustReleased(1, 163) then
print('triggered')
if group == "superadmin" then
TriggerEvent('esx_spectate:spectate')
end
end
end
end)
That code is irrelevant here, the server side lacks the check of permissions, and using the cef debug page you can send a post request to trigger the kick without any sort of checks. After all, never trust the client. You don’t need to see the menu to trigger the event which kicks
Dude, its not about it “working”. Theres an exploit in it on the server-side in terms of permission checks, it just believes anyone who triggers the event is an admin, which they may not even be as you can trigger it without using the menu which needs admin.
See this line:
no permission checks whatsoever, which is a MASSIVE flaw, considering you dont even need any sort of exploit to do so, as the event is exposed in the CEF debugger.
