How to patch exploit can change booth owner for no reasons

ZuzrTkl · February 6, 2025, 9:18am

I need this patch Here proof

Because he exploiter can change booths all
how to i do patch?
Booth Script

game.ReplicatedStorage.Remotes.ChangeBooth.OnServerEvent:Connect(function(Player,Theme)

	if Owner.Value == Player.Name then
		
		Player:FindFirstChild("SystemData").BoothData.Value = Theme

		local ChosenTheme = game.ServerStorage.BoothModels:FindFirstChild(Theme)
		if ChosenTheme and ChosenTheme:IsA("Model") then
			local BoothAppearance = Booth:FindFirstChild("BoothAppear")
			if BoothAppearance then
				BoothAppearance:Destroy()
			end
			setsmoke()
			ChosenTheme = ChosenTheme:Clone()
			
			ChosenTheme.Name = "BoothAppear"
			ChosenTheme.Parent = Booth
			
			ChosenTheme:PivotTo(Booth.PrimaryPart.CFrame)
BoothText(ChosenTheme)
			
		

		end
	end		
end)

Client Remote

script.Parent.MouseButton1Click:Connect(function()
	if player:FindFirstChild("BoothFolder"):FindFirstChild(script.Parent.Name) then 
game.ReplicatedStorage.Remotes.ChangeBooth:FireServer(script.Parent.Name)
script.Parent.Parent.Parent.Visible = false
		game.ReplicatedStorage.Remotes.SendPlayerNotiy:FireServer("Booth successfully changed " .. script.Parent.Name)
else
		game.ReplicatedStorage.Remotes.SendPlayerNotiy:FireServer("Limited Booth Only.")
end
end)

mikquint · February 6, 2025, 10:03am

Add a booth ownership check on the server-side

if Owner.Value == Player.Name and Player:FindFirstChild(“BoothFolder”):FindFirstChild(Theme) then

TheRealANDRO · February 6, 2025, 10:03am

Your remote event handler script on the Server does not check if the player truly owns the booth. Instead, the client does it, which allows the exploiter to send any value they wish and obtain whatever booth they want.

Remove the check on the client and add it to the Server script, that should fix your issue.

ZuzrTkl · February 6, 2025, 10:07am

But has gamepasses and Who only access booth

mikquint · February 6, 2025, 10:08am

I don’t understand what you mean, but you should always check on the server-side, because exploiters can fire remoteevents to the server.

ZuzrTkl · February 6, 2025, 10:10am

But there buttons Booth who cant click for dont own
Exploiter can remote fireserver it for changed booth

ZuzrTkl · February 6, 2025, 10:13am

devforumLimits

mikquint · February 6, 2025, 10:15am

Did you change this on you server script already?

if Owner.Value == Player.Name and Player:FindFirstChild(“BoothFolder”):FindFirstChild(Theme) then

ZuzrTkl · February 6, 2025, 10:17am

i should add Script in button? without Localscript

mikquint · February 6, 2025, 10:18am

No in BoothScripts, the one you pasted in your post. Change line 3 to it.

ZuzrTkl · February 6, 2025, 10:20am

This button Inside


local id = 10697704 -- Your group id


local player  = game.Players.LocalPlayer
script.Parent.MouseButton1Click:Connect(function()
	if game.Players.LocalPlayer:GetRankInGroup(id) == 252 or game.Players.LocalPlayer:GetRankInGroup(id) == 253 then 
		game.ServerScriptService.ChangeBooth:Fire(player,script.Parent.Name)
		script.Parent.Parent.Parent.Visible = false
		game.ReplicatedStorage.Remotes.SendPlayerNotiy:FireClient(player,"Booth successfully changed " .. script.Parent.Name)
	else
		game.ReplicatedStorage.Remotes.SendPlayerNotiy:FireClient(player,"Booth for Admins and Mods only.")
	end
end)

i think will add event remotes and Add serverscript script

ZuzrTkl · February 6, 2025, 10:22am

No there Vip and access Booth but without Boothfolder

ZuzrTkl · February 6, 2025, 10:25am

local player = game.Players:FindFirstChild(script.Parent.Parent.Parent.Parent.Parent.Parent.Parent:FindFirstChild("USER").Value
)
print(player.Name)

this worked

ZuzrTkl · February 6, 2025, 10:27am

This good ideas Thank you
devv