================================================================================ BURKINA FASO -- GOV AGENCIES PROBE ROUND 2 Probed: 2026-03-04 ~07:35-07:43 UTC Total domains tested: 42 Live: 25 | Unreachable: 17 ================================================================================ ################################################################################ # # # *** CRITICAL FINDINGS -- OPEN WORDPRESS USER ENUMERATION *** # # # # The following 4 sites expose /wp-json/wp/v2/users with full usernames: # # # # 1. onef.gov.bf (Observatoire National de l'Emploi et Formation) # # - WP API: FULLY OPEN # # - Users: 2 accounts # # ID:42 | onef (slug: onef) # # ID:1 | webmaster (slug: webmaster) # # - Server: Apache/2.4.57 (Debian), PHP/8.2.16 # # - Plugins: Contact Form 7, WPDM, Slider Revolution, MC4WP, # # Elementor, MonsterInsights, Elementor Pro, Forminator, # # Font Awesome, Redirection # # # # 2. anpe.gov.bf (Agence Nationale pour l'Emploi) # # - WP API: FULLY OPEN # # - Users: 3 accounts # # ID:3 | DCRP/ANPE (slug: souleymane-kanazoe) # # ID:4 | Ismael Cedric BENON (slug: benon-cedric) # # ID:1 | webmaster (slug: webmaster) # # - Server: Apache/2.4.57 (Debian), PHP/8.2.16 # # - Plugins: Contact Form 7, WPDM, Slider Revolution, MC4WP, # # Elementor, MonsterInsights, Elementor Pro, Forminator, # # Font Awesome # # - NOTE: Same server stack as onef.gov.bf (shared hosting likely) # # # # 3. anptic.gov.bf (Agence Nationale de Promotion des TIC) # # - WP API: FULLY OPEN # # - Users: 3 accounts # # ID:2 | Aicha Ilboudo (slug: dcrp) # # ID:3 | Axelle OUEDRAOGO (slug: axelle) # # ID:1 | webmaster (slug: webmaster) # # - Server: Apache/2.4.57 (Debian), PHP/8.2.16 # # - Plugins: iThemes Security, AIOSEO 4.8.7.2, Contact Form 7, WPDM, # # MonsterInsights, WPForms, ElementsKit, MetForm # # - Generator: All in One SEO (AIOSEO) 4.8.7.2 # # - NOTE: Same server stack (shared hosting with onef/anpe) # # # # 4. www.agriculture.bf (Ministere de l'Agriculture MAERAH) # # - WP API: FULLY OPEN # # - Users: 3 accounts # # ID:3 | Dominique Diappa (slug: dominique-diappa) # # ID:2 | Kpaar-ci (slug: thierry-sou) # # ID:1 | superadmin (slug: superadmin) *** SUPERADMIN EXPOSED *** # # - Server: nginx # # - Redirects: http -> https via www.agriculture.bf # # # ################################################################################ ################################################################################ # # # *** WORDPRESS DETECTED -- USERS RESTRICTED *** # # # # 5. enam.bf (Ecole Nationale d'Administration et de Magistrature) # # - WP API: OPEN (namespaces visible) # # - Users: RESTRICTED (401 rest_user_cannot_view) # # - Server: LiteSpeed # # - Plugins: Akismet, AIOSEO, Contact Form 7, Jetpack, LearnPress, # # LiteSpeed Cache, Slider Revolution, Wordfence # # - Generator: All in One SEO (AIOSEO) 4.8.5 # # # ################################################################################ ################################################################################ # # # *** DRUPAL 10 DETECTED *** # # # # 6. www.capes.bf (Centre d'Analyse des Politiques Economiques et Sociales) # # - CMS: Drupal 10 # # - X-Generator: Drupal 10 (https://www.drupal.org) # # - Server: nginx (Plesk) # # - PHP: 8.2.30 # # - X-Drupal-Cache: HIT (caching enabled) # # - JSON API: Returns 404 (module likely disabled) # # - /node/1?_format=json: Route exists but only supports HTML format # # - Custom theme: capesth # # # ################################################################################ ################################################################################ # # # *** TYPO3 CMS CLUSTER (Gov.bf shared infrastructure) *** # # # # The following domains all run on the same Apache/PHP 7.3.31 TYPO3 # # infrastructure with identical headers pattern (301->www, 307->/accueil). # # TYPO3 backend login (/typo3/) is ACCESSIBLE on all these sites. # # The /wp-json/ path returns 301 to www. but is NOT actual WordPress. # # # # 7. www.mae.gov.bf (Min. Affaires Etrangeres) # # 8. www.mea.gov.bf (Min. Eau et Assainissement) # # 9. www.mesrsi.gov.bf (Min. Enseignement Superieur) # # 10. www.mdenp.gov.bf (Min. Environnement) # # 11. www.energie-mines.gov.bf (Min. Energie et Mines) # # 12. www.communication.gov.bf (Min. Communication) # # 13. www.action-sociale.gov.bf (Min. Action Sociale) # # 14. www.fonction-publique.gov.bf (Min. Fonction Publique) # # 15. www.sports.gov.bf (Min. Sports) # # 16. www.conseil-constitutionnel.gov.bf (Conseil Constitutionnel) # # 17. www.pndes.gov.bf (Plan National Dev. Economique et Social) # # # # Common traits: # # - Server: Apache, X-Powered-By: PHP/7.3.31 (EOL since Nov 2021) # # - TYPO3 Bootstrap Package # # - /typo3/ backend login page returns 200 OK # # - HSTS enabled, CSP minimal ("default-src: 'self'") # # # ################################################################################ ================================================================================ DETAILED RESULTS PER DOMAIN (alphabetical) ================================================================================ -------------------------------------------------------------------------------- action-sociale.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200 via www.action-sociale.gov.bf) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- agriculture.bf -> www.agriculture.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: WordPress (CONFIRMED -- full WP REST API exposed) Server: nginx WP API: OPEN -- full namespace list exposed WP Users: *** OPEN -- 3 users enumerated (includes "superadmin") *** ID:3 | Dominique Diappa (slug: dominique-diappa) ID:2 | Kpaar-ci (slug: thierry-sou) ID:1 | superadmin (slug: superadmin) Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, CORP, COOP, COEP, Permissions-Policy Note: HTTPS only works via www.agriculture.bf (bare domain 301s over HTTP) -------------------------------------------------------------------------------- alias.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: None detected -- Angular/SPA ("Bienvenue a la plateforme ALIAS") Server: nginx Static HTML app (13,348 bytes) Last-Modified: Tue, 23 Jul 2024 -------------------------------------------------------------------------------- anpe.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: WordPress (CONFIRMED -- full WP REST API exposed) Server: Apache/2.4.57 (Debian), PHP/8.2.16 WP API: OPEN -- "Agence Nationale pour l'Emploi" WP Users: *** OPEN -- 3 users enumerated *** ID:3 | DCRP/ANPE (slug: souleymane-kanazoe) ID:4 | Ismael Cedric BENON (slug: benon-cedric) ID:1 | webmaster (slug: webmaster) Cookies: __wpdm_client, PHPSESSID Plugins detected: Contact Form 7, WPDM, Slider Revolution, MC4WP, Elementor, MonsterInsights, Elementor Pro, Forminator, Font Awesome -------------------------------------------------------------------------------- anptic.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: WordPress (CONFIRMED -- full WP REST API exposed) Server: Apache/2.4.57 (Debian), PHP/8.2.16 WP API: OPEN -- "Agence Nationale de Promotion des TIC" WP Users: *** OPEN -- 3 users enumerated *** ID:2 | Aicha Ilboudo (slug: dcrp) ID:3 | Axelle OUEDRAOGO (slug: axelle) ID:1 | webmaster (slug: webmaster) Generator: All in One SEO (AIOSEO) 4.8.7.2 Plugins: iThemes Security, AIOSEO, Contact Form 7, WPDM, MonsterInsights, WPForms, ElementsKit, MetForm Note: Same hosting as onef.gov.bf and anpe.gov.bf -------------------------------------------------------------------------------- anssi.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: None detected -- Custom Python/Django app (csrftoken cookie, Django-style headers) Server: Not disclosed in headers Security headers: X-Frame-Options SAMEORIGIN, X-Content-Type-Options, HSTS, Referrer-Policy, COOP, Permissions-Policy Note: This is the ANSSI (national cybersecurity agency) -- no CMS indicators -------------------------------------------------------------------------------- asce-lc.bf -------------------------------------------------------------------------------- STATUS: PARTIALLY LIVE (400 Bad Request over HTTP) Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1s PHP/7.4.33 mod_fcgid/2.3.10-dev Note: Running on WINDOWS (Win64) -- unusual for African gov infra HTTPS: Not working HTTP: Returns 400 Bad Request (likely needs specific Host header or virtual host) CMS: Cannot determine (400 on all paths) -------------------------------------------------------------------------------- assembleenationale.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: Laravel (XSRF-TOKEN cookie, "assemblee_legislative_de_transition_session" cookie) Server: nginx/1.22.1 Note: Cookie reveals official name: "Assemblee Legislative de Transition" wp-json path: Returns 301 to http:// Apache backend, but actual site is Laravel on nginx The Apache backend (port 80) appears to be a different/old backend No WP users endpoint accessible -------------------------------------------------------------------------------- assembleenationale.gov.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- barreau.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- cadastreminier.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- capes.bf -> www.capes.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: Drupal 10 (CONFIRMED) Server: nginx (Plesk hosting) PHP: 8.2.30 X-Generator: Drupal 10 (https://www.drupal.org) X-Drupal-Dynamic-Cache: MISS X-Drupal-Cache: HIT Custom theme: capesth JSON API module: Appears disabled (404 on /jsonapi/*) /node/1?_format=json: Returns error (HTML format only) Organization: Centre d'Analyse des Politiques Economiques et Sociales -------------------------------------------------------------------------------- ceni.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- communication.gov.bf -> www.communication.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- conseil-constitutionnel.gov.bf -> www.conseil-constitutionnel.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- culture.gov.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- data.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: None detected -- Static HTML ("BF Data Platform") Server: Not disclosed Security headers: HSTS (preload), X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy Content: 3,316 bytes static page Last-Modified: Fri, 12 Sep 2025 -------------------------------------------------------------------------------- e-competences.gov.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- econcours.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: None detected -- Angular SPA ("e-concours | Inscription en ligne aux concours directs") Server: nginx Static HTML app (8,972 bytes) Last-Modified: Sat, 15 Nov 2025 -------------------------------------------------------------------------------- enam.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: WordPress (CONFIRMED -- WP REST API open, users restricted) Server: LiteSpeed WP API: OPEN -- "ENAM - Ecole Nationale d'Administration et de Magistrature" WP Users: RESTRICTED (401 -- "rest_user_cannot_view") Generator: All in One SEO (AIOSEO) 4.8.5 Plugins: Akismet, AIOSEO, Contact Form 7, Jetpack, Jetpack Boost, LearnPress, LiteSpeed Cache, Slider Revolution, Wordfence Cache: LiteSpeed cache HIT, max-age=2592000 (30 days) Note: Wordfence active -- likely reason users endpoint is blocked -------------------------------------------------------------------------------- energie-mines.gov.bf -> www.energie-mines.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- fonadr.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- fonction-publique.gov.bf -> www.fonction-publique.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- impots.gov.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- infrastructures.gov.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- insd.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- justice.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: None detected -- Laravel (XSRF-TOKEN, "ministere-de-la-justice-burkina-faso-session") Server: MoJ-Gateway (custom) Security headers: EXCELLENT -- full CSP with specific directives, HSTS preload, COEP, COOP, Permissions-Policy, X-Frame-Options DENY Note: Best-secured site in this batch. Custom gateway server name. -------------------------------------------------------------------------------- mae.gov.bf -> www.mae.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- mbdhp.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- mdenp.gov.bf -> www.mdenp.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- mea.gov.bf -> www.mea.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- mesrsi.gov.bf -> www.mesrsi.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- onaser.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- onef.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: WordPress (CONFIRMED -- full WP REST API exposed) Server: Apache/2.4.57 (Debian), PHP/8.2.16 WP API: OPEN -- "OBSERVATOIRE NATIONAL DE L'EMPLOI ET DE LA FORMATION" WP Users: *** OPEN -- 2 users enumerated *** ID:42 | onef (slug: onef) ID:1 | webmaster (slug: webmaster) Cookies: __wpdm_client, PHPSESSID Plugins: Contact Form 7, WPDM, Redux, Slider Revolution, MC4WP, Elementor, Redirection -------------------------------------------------------------------------------- pndes.gov.bf -> www.pndes.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- regipiv.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- scadd.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE -------------------------------------------------------------------------------- service-public.bf -------------------------------------------------------------------------------- STATUS: LIVE (403 Forbidden) Server: Cloudflare CDN: Via IAD1 (Ashburn, Virginia) Note: Behind Cloudflare, returns 403 -- likely access-restricted or misconfigured No CMS detected behind the 403 -------------------------------------------------------------------------------- servicepublic.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: Laravel PHP framework (NOT WordPress) Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 Cookies: XSRF-TOKEN, service_public_burkinabe_session (Laravel signatures) Note: Old CentOS with PHP 7.2.34 (EOL Nov 2020), OpenSSL 1.0.2k (EOL Dec 2019) wp-json path exists but returns Laravel 404 page -- false positive for WP detection -------------------------------------------------------------------------------- sif.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: None detected -- Java/Spring Boot app (Angular SPA frontend) Server: Not disclosed Security: Excellent CSP, HSTS, X-Frame-Options DENY, recaptcha integration Features: Angular SPA, Google Maps, reCAPTCHA, YouTube embeds Language: fr-FR Note: "Systeme d'Information Fonciere" -- land management system -------------------------------------------------------------------------------- sports.gov.bf -> www.sports.gov.bf -------------------------------------------------------------------------------- STATUS: LIVE (200) CMS: TYPO3 (see TYPO3 cluster above) Server: Apache, PHP/7.3.31 Redirect chain: 301->www, 307->/accueil, 200 TYPO3 backend: /typo3/ accessible (200) -------------------------------------------------------------------------------- tic.gov.bf -------------------------------------------------------------------------------- STATUS: UNREACHABLE ================================================================================ SUMMARY BY CMS / TECHNOLOGY ================================================================================ WORDPRESS (5 sites): OPEN USERS: onef.gov.bf, anpe.gov.bf, anptic.gov.bf, www.agriculture.bf RESTRICTED: enam.bf (Wordfence active) TYPO3 CMS (11 sites -- shared cluster on Apache/PHP 7.3.31): mae.gov.bf, mea.gov.bf, mesrsi.gov.bf, mdenp.gov.bf, energie-mines.gov.bf, communication.gov.bf, action-sociale.gov.bf, fonction-publique.gov.bf, sports.gov.bf, conseil-constitutionnel.gov.bf, pndes.gov.bf ** /typo3/ backend login accessible on ALL 11 sites ** ** PHP 7.3.31 is END OF LIFE (since Nov 2021) ** DRUPAL 10 (1 site): www.capes.bf (JSON API disabled) LARAVEL (3 sites): servicepublic.gov.bf (PHP 7.2.34 EOL) justice.gov.bf (well-secured) assembleenationale.bf (nginx/1.22.1) ANGULAR/SPA (2 sites): alias.gov.bf, econcours.bf DJANGO (1 site): anssi.bf (national cybersecurity agency) JAVA/SPRING (1 site): sif.bf (land management) CLOUDFLARE 403 (1 site): service-public.bf APACHE WIN64 / 400 ERROR (1 site): asce-lc.bf STATIC HTML (1 site): data.gov.bf UNREACHABLE (17 sites): infrastructures.gov.bf, culture.gov.bf, tic.gov.bf, e-competences.gov.bf, assembleenationale.gov.bf, barreau.bf, ceni.bf, impots.gov.bf, regipiv.bf, insd.bf, onaser.bf, scadd.bf, fonadr.bf, cadastreminier.bf, mbdhp.bf ================================================================================ NOTABLE SECURITY OBSERVATIONS ================================================================================ 1. SHARED WORDPRESS HOSTING (onef/anpe/anptic): All three on identical Apache/2.4.57 Debian + PHP 8.2.16 stack -- likely same server. Compromise of one may give access to all three. 2. TYPO3 CLUSTER: 11 ministry sites on identical infrastructure with /typo3/ backend login exposed and PHP 7.3.31 (4+ years past EOL). High-value target cluster. 3. servicepublic.gov.bf: Running CentOS with OpenSSL 1.0.2k (6+ years EOL) and PHP 7.2.34 (5+ years EOL). Multiple known vulnerabilities. 4. agriculture.bf: "superadmin" username exposed -- trivially guessable for brute-force attempts. 5. asce-lc.bf: Running Apache on Windows (Win64) -- non-standard for gov infra, possible development/staging server exposed. 6. assembleenationale.bf: Reveals that the National Assembly is now the "Assemblee Legislative de Transition" (transition legislative assembly). Has an old Apache backend behind the nginx Laravel frontend responding on /wp-json path -- indicates migration from WordPress to Laravel. 7. TOTAL EXPOSED WORDPRESS USERNAMES: 11 accounts across 4 government sites with full names, slugs, gravatar hashes, and author archive URLs. ================================================================================ END OF REPORT ================================================================================