# BRVM (www.brvm.org) -- Intelligence Report
**Date:** 2026-03-04
**Target:** Bourse Regionale des Valeurs Mobilieres (Regional Stock Exchange of West Africa)
**URL:** https://www.brvm.org
**Coverage:** All 8 WAEMU/UEMOA member states -- the sole stock exchange for the entire WAEMU economic zone
**HQ:** Abidjan, Cote d'Ivoire

---

## Infrastructure Fingerprint

| Component | Value |
|-----------|-------|
| CMS | **Drupal 7.82** (confirmed via CHANGELOG.txt) |
| Web Server | nginx (no version exposed) |
| PHP | **PHP 7.0.33** (X-Powered-By header) |
| Hosting Panel | **Plesk Linux** (X-Powered-By: PleskLin) |
| Theme | Custom "brvm" (`sites/all/themes/custom/brvm/`) |
| jQuery | **1.4.4** (extremely outdated, exposed in install.php) |
| HTTPS | Yes, valid certificate |
| X-Frame-Options | SAMEORIGIN |
| JSON API | Not available (Drupal 7 does not support ?_format=json or /jsonapi natively) |

## CRITICAL: Severely Outdated Stack

### Drupal 7.82 -- End of Life
- **Released:** 2021-07-21
- **Current status:** Drupal 7 reached official End of Life on 2025-01-05
- **Last security update in CHANGELOG:** SA-CORE-2021-004
- **Missing:** 5+ years of security patches since the version deployed
- **Known CVEs affecting D7 post-7.82:** Multiple critical vulnerabilities including SA-CORE-2022-005 (arbitrary PHP code execution), SA-CORE-2023-003, SA-CORE-2024-001

### PHP 7.0.33 -- Severely End of Life
- **PHP 7.0 EOL:** 2018-12-03 (over 7 years ago)
- **Impact:** No security patches since December 2018. Multiple critical CVEs in PHP 7.0 affecting serialization, file upload, memory corruption
- **Current PHP stable:** 8.3.x/8.4.x

## Key Findings

### 1. CHANGELOG.txt Fully Exposed (HIGH)
- **URL:** `/CHANGELOG.txt`
- **Size:** 116,819 bytes -- complete Drupal 7 change history
- **Confirms exact version:** Drupal 7.82, released 2021-07-21
- **Impact:** Precise version fingerprinting for targeted exploitation

### 2. install.php Accessible (MEDIUM)
- **URL:** `/install.php`
- **Response:** "Drupal already installed" page with full system CSS/JS paths
- **Reveals:** jQuery 1.4.4 (ancient), Seven admin theme paths, module structure
- **Impact:** Further confirms technology stack, jQuery 1.4.4 has numerous XSS vulnerabilities

### 3. XML-RPC Endpoint Active (MEDIUM)
- **URL:** `/xmlrpc.php`
- **Response:** "XML-RPC server accepts POST requests only" (42 bytes)
- **Impact:** XML-RPC is a known attack vector for brute force amplification (system.multicall), pingback attacks, and DoS. Should be disabled on production Drupal 7 sites.

### 4. Multiple Drupal Core Files Exposed (MEDIUM)
- `/INSTALL.txt` (17,995 bytes) -- Full installation guide
- `/UPGRADE.txt` (10,123 bytes) -- Upgrade documentation
- `/LICENSE.txt` (18,092 bytes) -- GPL license
- `/robots.txt` (2,189 bytes) -- Standard Drupal 7 robots with path structure
- All of these should be removed or access-restricted in production

### 5. Login Form with CSRF Tokens (LOW)
- **URL:** `/user/login`
- **Form fields exposed:**
  - `name` (username field)
  - `form_build_id`: `form-0U1ZsOgSy3yYPppWqMJSJ7Ke8WuXY8DlaVSsQwJrVBs`
  - `form_id`: `user_login`
- **Additional forms on page:**
  - `simplenews_block_form_1` -- Newsletter subscription (Simplenews module active)
  - `search_block_form` -- Search functionality exposed

### 6. Node Content Accessible as HTML
- Drupal 7 does not support `?_format=json` -- nodes render as full HTML pages
- **Accessible nodes (200 OK):** 1, 6, 7, 8, 9, 10, 12, 13, 14, 17, 18
- **Access denied (403):** 2, 3, 4, 5, 15 -- restricted content exists
- **Not found (404):** 11, 16, 19, 20 -- deleted or unpublished
- **Content discovered via nodes:**
  - Node 1: Homepage
  - Node 6: Historique (History)
  - Node 7: Missions
  - Node 8: Architecture
  - Node 9: Gouvernance (Governance)
  - Node 10: Organigramme (Organization chart)
  - Node 12-13: Rapports (Reports)
  - Node 14: ASEA (African Securities Exchanges Association)
  - Node 17: Equipe de la BRVM (BRVM Team -- staff listing)
  - Node 18: Offres d'emploi (Job offers)

### 7. RSS Feed with Financial Intelligence (HIGH VALUE)
- **URL:** `/rss.xml`
- **Size:** 54,705 bytes (10 articles)
- **Contains:**
  - Full article HTML bodies with financial data
  - Market capitalization: 14,069 billion FCFA (Jan 2026)
  - Year-over-year growth: +5.54% in January 2026 alone
  - Transaction volumes: 31.18 billion FCFA in Jan 2026 (+160.55% YoY)
  - 39 of 47 listed companies showing positive performance
  - 2025 annual total mobilization: 4,204.7 billion FCFA (historic record)
  - BRVM Composite index: +25.26% in 2025, +99.15% over 5 years
  - Total market cap: 24,781.3 billion FCFA (18.37% of UEMOA GDP)
  - BRVM ranks as 5th African stock exchange
  - Author usernames visible (e.g., "lfani")
  - Dr Edoh Kossi AMENOUNVE identified as Director General

### 8. Stock Indices Page
- **URL:** `/fr/indices`
- **Size:** 47,798 bytes
- Contains current stock market indices data for the WAEMU region

### 9. Plesk Hosting Panel
- `X-Powered-By: PleskLin` header reveals Plesk Linux hosting panel
- Plesk admin panels are often accessible on port 8443 or 8880

## Files Saved

- `CHANGELOG.txt` -- 116KB, full Drupal version history confirming 7.82
- `INSTALL.txt` -- 18KB, Drupal installation guide
- `UPGRADE.txt` -- 10KB, Drupal upgrade guide
- `LICENSE.txt` -- 18KB, GPL license
- `install.php.html` -- 3.5KB, "already installed" page
- `robots.txt` -- 2KB, standard Drupal 7 robots
- `rss.xml` -- 55KB, RSS feed with financial data
- `user-login.html` -- 42KB, login form
- `fr-indices.html` -- 48KB, stock indices page
- `cours-actions.html` -- 58KB, stock prices page
- `xmlrpc.php.html` -- 42 bytes, XML-RPC active confirmation
- `node-1.html` through `node-20.html` (accessible pages)

## Attack Surface Assessment

| Vector | Risk Level | Notes |
|--------|-----------|-------|
| Drupal 7.82 (EOL) | **CRITICAL** | 5+ years of unpatched security vulnerabilities |
| PHP 7.0.33 (EOL) | **CRITICAL** | 7+ years past EOL, no security patches since 2018 |
| CHANGELOG.txt exposed | HIGH | Exact version fingerprinting |
| install.php accessible | MEDIUM | Stack fingerprinting, should return 403 |
| XML-RPC enabled | MEDIUM | Brute force amplification, DoS vector |
| jQuery 1.4.4 | HIGH | Numerous known XSS vulnerabilities |
| Plesk hosting | MEDIUM | Additional attack surface on management ports |
| Core text files exposed | LOW | INSTALL.txt, UPGRADE.txt, LICENSE.txt |
| Username leakage | LOW | "lfani" exposed via RSS dc:creator |
| Node enumeration | LOW | Restricted nodes return 403 (content exists but protected) |

## Financial Intelligence Summary

The BRVM is the sole securities exchange for the 8-country WAEMU zone:
- **Total market cap:** ~24,800 billion FCFA (~$40 billion USD)
- **Listed companies:** 47 equities
- **2025 performance:** +25.26% composite index
- **Director General:** Dr Edoh Kossi AMENOUNVE
- **Strategic vision:** "BRVM Horizon 2030" -- AI, blockchain, ETFs, derivatives
- **Key insight:** The entire regional stock exchange runs on an EOL Drupal/PHP stack

## Recommendations for Further Recon
1. Check Plesk admin panel on ports 8443/8880
2. Enumerate `/sites/default/files/` for uploaded documents
3. Test known Drupal 7 post-7.82 CVEs (SA-CORE-2022-005 etc.)
4. Probe XML-RPC with system.listMethods to enumerate available methods
5. Check `/admin/`, `/update.php` response patterns
6. Test for Drupalgeddon-style SQLi (SA-CORE-2014-005 was for D7)
7. Look for `/misc/drupal.js` version strings for additional fingerprinting