| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF2Wu1aypm4hsXcg5ukpsQQEAE_yQB_=O=LwKECgriWMAA+xBw@mail.gmail.com>
Date: Sat, 24 Jan 2026 18:01:43 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Weak Password Complexity - elggv6.3.3
# Exploit Title: Elgg - Lack of Password Complexity
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-48-weak.html
// HTTP Request - Changing Password
POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/settings/user/admin
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=nIY_M_wh53bUxoHvuKO1YA&__elgg_ts=1769266299&username=admin&name=Admin+User&email_password=&email=
admin@...mple.com
¤t_password=[REDACTED]&password=Passw0rd%21&password2=Passw0rd%21&language=en&guid=46
// HTTP Response - Changing Password
HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:52:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/settings/user/admin
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 394
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='
http://elgg.local/settings/user/admin'" />
<title>Redirecting to http://elgg.local/settings/user/admin</title>
</head>
<body>
Redirecting to <a href="http://elgg.local/settings/user/admin">
http://elgg.local/settings/user/admin</a>.
</body>
</html>
// HTTP Request - Changing Password - Following Redirect
GET /settings/user/admin HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/usersettings/save
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i
// HTTP Response - Changing Password - Following Redirect
HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:52:11 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 27859
[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div
class="elgg-body">Password changed</div></div></div>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists