search

qbcore-framework / qb-inventory

Slot Based Inventory System Used With QB-Core :school_satchel:
GNU General Public License v3.0
51 stars 380 forks source link

[BUG] Shop Exploit #461

Closed draobrehtom closed 8 months ago

draobrehtom commented 1 year ago

Summary

Client-side manipulation of shop inventory items and prices.

Reproduction

RegisterCommand('exploit', function()
    local shop = 'test'
    local ShopItems = {
        label = 'hack',
        items = {
            {name="water_bottle",amount=999999,price=-10000,slot=1},
            {name="weapon_vintagepistol",amount=999999,price=0,slot=2},
            {name="casinochips",amount=999999,price=0,slot=3},
        },
    }
    TriggerServerEvent("inventory:server:OpenInventory", "shop", "Itemshop_" .. shop, ShopItems)
end)

Expected behavior

I expected the shop inventory and item prices to be securely controlled and managed on the server-side to prevent any client-side manipulation or unauthorized access.

Actual behavior

Currently, the shop inventory and item prices are managed on the client-side, which allows for potential manipulation and unauthorized access by users.

Additional context

image

Last Updated

Today

Custom Resources

No

Resource Rename

No

github-actions[bot] commented 11 months ago

This issue has had 60 days of inactivity & will close within 7 days

draobrehtom commented 11 months ago

Possible hot-fix solution is https://github.com/qbcore-framework/qb-inventory/compare/main...draobrehtom:qb-inventory:main

github-actions[bot] commented 9 months ago

This issue has had 60 days of inactivity & will close within 7 days

draobrehtom commented 3 months ago

https://github.com/qbcore-framework/qb-inventory/blob/00a092e0999e901518759ee3afde121ff9c7f8cc/server/main.lua#L267