# Exploit Title: Elgg - Lack of Password Complexity # Date: 1/2026 # Exploit Author: Andrey Stoykov # Version: 6.3.3 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-48-weak.html
// HTTP Request - Changing Password POST /action/usersettings/save HTTP/1.1 Host: elgg.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 216 Origin: http://elgg.local Sec-GPC: 1 Connection: keep-alive Referer: http://elgg.local/settings/user/admin Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc Upgrade-Insecure-Requests: 1 Priority: u=0, i __elgg_token=nIY_M_wh53bUxoHvuKO1YA&__elgg_ts=1769266299&username=admin&name=Admin+User&email_password=&email= [email protected] ¤t_password=[REDACTED]&password=Passw0rd%21&password2=Passw0rd%21&language=en&guid=46 // HTTP Response - Changing Password HTTP/1.1 302 Found Date: Sat, 24 Jan 2026 14:52:07 GMT Server: Apache/2.4.52 (Ubuntu) Cache-Control: must-revalidate, no-cache, no-store, private expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache Location: http://elgg.local/settings/user/admin Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 394 <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url=' http://elgg.local/settings/user/admin'" /> <title>Redirecting to http://elgg.local/settings/user/admin</title> </head> <body> Redirecting to <a href="http://elgg.local/settings/user/admin";> http://elgg.local/settings/user/admin</a>. </body> </html> // HTTP Request - Changing Password - Following Redirect GET /settings/user/admin HTTP/1.1 Host: elgg.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://elgg.local Sec-GPC: 1 Connection: keep-alive Referer: http://elgg.local/action/usersettings/save Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc Upgrade-Insecure-Requests: 1 Priority: u=0, i // HTTP Response - Changing Password - Following Redirect HTTP/1.1 200 OK Date: Sat, 24 Jan 2026 14:52:11 GMT Server: Apache/2.4.52 (Ubuntu) Cache-Control: must-revalidate, no-cache, no-store, private x-frame-options: SAMEORIGIN expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache x-content-type-options: nosniff Vary: Accept-Encoding,User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 27859 [...] <div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Password changed</div></div></div> [...] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
