One main reason you should remove of mellotrainer from your server


#1

We all know mellotrainer has a giant flaw, right? right? Well, if you didn’t, you do now.

Recently i found out you can easily open mellotrainer even if not at all permitted, its probably been done before, but I’ve not found anything about it.

Basically, by using the CEF devtools that FiveM allows, you can easily open up the menu and use every option (Even admin options! *waaaaaat*) which is a massive issue. The GitHub and forum post has already been removed, however there’s quite a lot of servers still running mello trainer.

Worst part it, although it is unsupported and nowhere to be found, it still has ~300 servers with it running!

I have an idea for resolving this issue:

Remove Mellotrainer from your server as it really isn’t safe and use no trainer/something which is much safer e.g @Vespura’s vMenu, which also contains tons of customization and checks against attempts to trigger admin events

Now, please tell as many people you know who use mello to stop using it. Lets try drop that count from 300, as that’s 300 vulnerable servers who could easily prevent such an issue from happening.


[Release][ESX] esx_spectate with player checks
This discussion is no longer needed
Some Server Problems Been A While
Mellotrainer help fast!
#2

+1 - someone can temp ban all players unauthorized until server restart, if that’s not a good enough reason to remove it I don’t know what is.

psst, vMenu…


#3

Same with esx_spectate


#4

Agreed, its not just localised to mellotrainer specifically, im sure there are dozens of resources which could have issues like this, however so far im sure this is the most dangerous of them, seeing as you can kick and even BAN people.


#5

Uuuum are you the the people joining random servers and kicking people just to prove your point? I saw IllusiveTea with IceHax joining random servers exploiting this.


#6

If a user can exploit a trainer isn’t that a sign that you should remove it? Clearly the trainer has flaws (as mentioned in the OP) that can be used to affect a server negatively and cause a great impact.


#7

Can we have a similar post for Windows 7 vulnerabilities. Maybe we can convince people to use Windows 10 :laughing:

Serious note: I wasn’t aware of this and changed to vMenu for other reasons. Good to hear about this and to put it out in the public.


#8

What exactly is so called mellotrainer


image
(Joke, Jesse Cris)


#9

vMenu would be the superiour menu to use. MelloTrainer has been discontinued by the developer and is per definition not safe for usage on public servers (since it does not use the builtin ACL).


#10

Great example of why you should not be trusting the client! Always perform server-side checks that validate client activities.


#11

Lamaba is pretty good.


#12

If you are on about scripthook stuff then just no. This is directed more specifically at basically being able to use a “server-side trainer” and bypassing any sort of restrictions the owners/copycats (same thing) put in place on it.


#13

yea i did find out, that why i made my own admin menu :slight_smile:


#14

Clever boy :smile:


#15

Going to make a list of resources i have found with this type of issue:

  • mellotrainer - fuck me theres a lot to be said about this one - 280 servers!
  • vrp_lottery - specifically, not checking if the value is negative or not
  • esx_spectate - allowing users to spectate and even kick - 304 servers!