Unprotected net call

[j-roark]

The net call vj_npcspawner_sv_create is currently being exploited with lua injectors to allow hackers to arbitrarily spawn NPCs and grief any server using VJ base. This is because this call (and potentially some others) are unprotected serverside. It only checks that the player has a toolgun and has the spawner selected, but it does not check if they are an admin / have the correct permissions. So with a lua injector, if they are able to get a toolgun, players can arbitrarily spawn NPCs.

[DrVrej]

Why have you given players the ability to select the NPC spawner in the first place? I am assuming your server is not a sandbox, so your priority should be restricting either the tool gun altogether or at least locking certain tools like the NPC spawner. As for an admin check, I don't want to put it there as this tool is used a lot in small locked NPC sandbox servers. Like I mentioned earlier, instead of me restricting a useful tool because of big servers, I rather let the server owners decide if it should be allowed or not.

[j-roark]

Why have you given players the ability to select the NPC spawner in the first place?

Sometimes in gamemodes outside of sandbox players may need to use the toolgun for certain tasks. Locking the permission for npc spawners behind a specific permission does not make it non-clickable, it makes it non-fireable, which is not what the server side net reciever for this call is checking for.

[DrVrej]

I am friends with many big server owners, and none of them have this issue. I have asked before and all have told me they lock the tool from being clickable or they hide it from the list entirely. I would be happy to add an additional check to the net calls, if you have anything in mind aside from an admin check because I don't want to restrict tools that are used a lot in private servers, let me know 👍