diff --git a/src/endpoints/levels/uploadLevel.cr b/src/endpoints/levels/uploadLevel.cr
index 044e074..4ad72e7 100644
--- a/src/endpoints/levels/uploadLevel.cr
+++ b/src/endpoints/levels/uploadLevel.cr
@@ -66,16 +66,16 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
     if forbidden_obj = level_objects.find do |obj|
       if !obj.has_key?("1")
         false
+      end
+
+      id = obj["1"].to_i
+      if allowed_objects.size > 0
+        if !allowed_objects.includes?(id)
+          true
+        end
       else
-        id = obj["1"].to_i
-        if allowed_objects.size > 0
-          if !allowed_objects.includes?(id)
-            true
-          end
-        else
-          if forbidden_objects.includes?(id)
-            true
-          end
+        if forbidden_objects.includes?(id)
+          true
         end
       end
     end
@@ -83,6 +83,16 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
       return "-1"
     end
 
+    if exploit_obj = level_objects.find do |obj|
+      # target color ID
+      (obj.has_key?("23") && obj["23"].to_i < 0 || obj["23"].to_i > 1100) ||
+      # target group ID
+      (obj.has_key?("51") && obj["51"].to_i < 0 || obj["51"].to_i > 1100)
+    end
+      LOG.info { "preventing upload of level attempting to exploit invalid color/group IDs" }
+      return "-1"
+    end
+
     coins = level_objects.count { |obj| obj["1"]? == "1329" } # user coin id
 
     # todo: check if dual portals even exist?