Hanno BΓΆck, author of the project , on the vulnerability of interactive compilation interfaces that allow processing of external C code. When specifying an arbitrary path in the "#include" directive, the compilation error includes the contents of the file that could not be compiled.
For example, substituting in one of the online services in the code "#include Β» at the output, it was possible to obtain a hash of the root user password from the /etc/shadow file, which also indicates that the web service is running as root and runs compilation commands under the root user (it is possible that an isolated container was used during compilation, but running with root permissions in the container is also a problem). The problematic service, in which it was possible to reproduce the problem, is not advertised yet. Attempts to open files in the pseudo FS /proc failed because GCC treats them as empty files, but opening files from /sys works.
Source: opennet.ru