Nextcloud: BruteForce in to Admin Account

2016-12-04T12:46:24
ID H1:188205
Type hackerone
Reporter hackerwahab
Modified 2016-12-04T18:49:18

Description

Hello,

My self Abdulwahab, I want to Alert You that Your website is Facing a serious Problem Called : Username Enumeration This Problem is on nextcloud.com/wp-admin

We Use wpscan to get username

and the username is "frank" After getting username a user can Bruteforce it Using Wpscan and get access to admin panel and upload shell and also get all sub_domain Means Full Server is Hacked!

FIX

To Fix this use Wordpress Login Attemptizer

Thanks, ABDULWAHAB, Independent Cyber Security Researcher,