================================================================================ CRITICAL FINDING: cPanel/WHM Full Stack Exposed - cpanel.sig.bf Probed: 2026-03-04 ================================================================================ TARGET: cpanel.sig.bf IP: 5.9.59.157 (Hetzner, Germany) BACKEND HOSTNAME LEAKED: bm.serveurhosting.net (redirects from HTTP:2082) ORG: SIG.BF (Societe d'Informatique et de Gestion, Burkina Faso) SSL CERTIFICATE: Subject: CN=*.sig.bf (wildcard) Issuer: Let's Encrypt R13 Valid: 2026-01-09 to 2026-04-09 SANs: *.sig.bf, sig.bf, www.mailing.sig.bf, www.sondage.sig.bf, www.talk.sig.bf TECHNOLOGY STACK: - cPanel & WHM (Copyright 2026) - Apache web server (disclosed in HTTP headers) - cPanel magic revisions: 1749858375 = June 13, 2025 (most recent CSS update) 1748449569 = May 28, 2025 (fonts update) 1687460811 = June 22, 2023 (IE6 behavior) 1687451311 = June 22, 2023 (images, logo) - Estimated cPanel version: 122.x or later (2025 updates) - Roundcube webmail integrated (session cookies cleared) - Hosted on: serveurhosting.net infrastructure EXPOSED SERVICES - ALL LIVE WITH LOGIN PAGES: ================================================================================ 1. cPanel LOGIN (Port 2083 HTTPS) - LIVE URL: https://cpanel.sig.bf:2083/ Status: 200 OK Title: "cPanel Login" Full login form with username/password Session management: cpsession cookie Roundcube session clearing (integrated webmail) PPA_ID cookie clearing (Passenger app) 2. cPanel LOGIN (Port 443 HTTPS) - LIVE URL: https://cpanel.sig.bf/ Status: 200 OK Same cPanel login served on default HTTPS port Server header: Apache 3. WHM LOGIN (Port 2087 HTTPS) - LIVE URL: https://cpanel.sig.bf:2087/ Status: 200 OK Title: "WHM Login" Full WHM admin login form exposed Session: whostmgrsession cookie THIS IS THE ROOT SERVER ADMIN PANEL 4. WEBMAIL LOGIN (Port 2096 HTTPS) - LIVE URL: https://cpanel.sig.bf:2096/ Status: 200 OK Title: "Webmail Login" Session: webmailsession cookie Roundcube cookies enabled 5. cPanel HTTP REDIRECT (Port 2082) - ACTIVE URL: http://cpanel.sig.bf:2082/ Status: 301 Moved LEAKS BACKEND: Redirects to https://bm.serveurhosting.net:2083/ This exposes the real hosting infrastructure hostname 6. cPanel JSON API - ACTIVE BUT AUTH REQUIRED URL: https://cpanel.sig.bf:2087/json-api/applist Status: 200 (returns JSON error: "Access denied") API endpoint exists and responds 7. cPanel LOGIN API - ACTIVE URL: https://cpanel.sig.bf:2083/login/?login_only=1 Status: 401 (returns JSON: {"status":0,"message":"no_username"}) Programmatic login endpoint exposed ROBOTS.TXT (Port 443): User-agent: * Disallow: / ADDITIONAL SUBDOMAINS (from SSL cert SANs): - www.mailing.sig.bf (mailing service) - www.sondage.sig.bf (survey service) - www.talk.sig.bf (communication service) RISK ASSESSMENT: ================================================================================ - CRITICAL: WHM login exposed on port 2087 - root server admin panel - CRITICAL: Backend hostname leaked: bm.serveurhosting.net - HIGH: Four different login panels exposed (cPanel, WHM, Webmail, API) - HIGH: JSON API endpoints accessible (can enumerate valid responses) - HIGH: Programmatic login endpoint could enable automated brute force - MEDIUM: cPanel version identifiable from magic revision timestamps - MEDIUM: Multiple service subdomains exposed (mailing, sondage, talk) - INFO: Security headers present (X-Frame-Options, X-Content-Type-Options) RAW HEADERS (cPanel 2083): HTTP/1.1 200 OK Connection: close Content-Type: text/html; charset="utf-8" Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Set-Cookie: cprelogin=no; HttpOnly; secure Set-Cookie: cpsession=...; HttpOnly; secure X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff RAW HEADERS (HTTP 2082 - HOSTNAME LEAK): HTTP/1.1 301 Moved Content-length: 119 Location: https://bm.serveurhosting.net:2083/