Saturday, 24 January 2026

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

 Description

- It was noted that the "Password Update" functionality allowed users to set weak passwords.


Weak Password Complexity

Steps to Reproduce:
  1. Visit profile page and change the password to "Passw0rd!"
// HTTP Request - Changing Password

POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/settings/user/admin
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i

__elgg_token=nIY_M_wh53bUxoHvuKO1YA&__elgg_ts=1769266299&username=admin&name=Admin+User&email_password=&email=admin@example.com&current_password=[REDACTED]&password=Passw0rd%21&password2=Passw0rd%21&language=en&guid=46


// HTTP Response - Changing Password

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:52:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/settings/user/admin
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 394

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/settings/user/admin'" />

        <title>Redirecting to http://elgg.local/settings/user/admin</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/settings/user/admin">http://elgg.local/settings/user/admin</a>.
    </body>
</html>


// HTTP Request - Changing Password - Following Redirect

GET /settings/user/admin HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/usersettings/save
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i



// HTTP Response - Changing Password - Following Redirect

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:52:11 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 27859

[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Password changed</div></div></div>
[...]

at No comments:

Friday Fun Pentest Series - 47 - Username Enumeration - elggv6.3.3

Description

- It was noted that the "Fogot Password" functionality was vulnerable to "Username Enumeration"

Username Enumeration

Steps to Reproduce:
  1. Enter valid user and observe HTTP response
  2. Enter invalid user and observer HTTP response

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=admin

// HTTP Response - Resetting Password - Valid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:14:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 318
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/'" />
        <title>Redirecting to http://elgg.local/</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/">http://elgg.local/</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Valid User

GET / HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Valid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:14:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 20646
[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Successfully requested a new password, email sent</div></div></div>
[...]


// HTTP Request - Resetting Password - Invalid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=x

// HTTP Response - Resetting Password - Invalid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:15:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/forgotpassword
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 374
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/forgotpassword'" />
        <title>Redirecting to http://elgg.local/forgotpassword</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/forgotpassword">http://elgg.local/forgotpassword</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Invalid User

GET /forgotpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Invalid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:15:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 19681
[...]
<div class="elgg-message elgg-message-error"><div class="elgg-inner"><div class="elgg-body">Username x not found.</div></div></div>
[...]



at No comments:
Subscribe to: Comments (Atom)

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

  Description - It was noted that the "Password Update" functionality allowed users to set weak passwords. Weak Password Complexit...