================================================================================
CRITICAL FINDING: Kolab Groupware Server - kolab.btic.bf (cloud.btic.bf)
Probed: 2026-03-04
================================================================================

TARGET: kolab.btic.bf / cloud.btic.bf
IP: 149.56.240.77 (OVH Canada)
ORG: BTIC (Burkina TIC - Burkina Faso ICT company)

SSL CERTIFICATE:
  Subject: CN=kolab.btic.bf
  Issuer: Let's Encrypt R13
  Valid: 2026-02-04 to 2026-05-05
  SANs: autoconfig.btic.bf, autodiscover.btic.bf, cloud.btic.bf,
        files.btic.bf, kolab.btic.bf, mail.btic.bf

TECHNOLOGY STACK:
  - Kolab Groupware (full suite)
  - Apache/2.4.62 (AlmaLinux)
  - PHP/8.0.30 (WARNING: PHP 8.0 is EOL since Nov 2023)
  - Roundcube 1.6.12 (rcversion: 10612)
  - SabreDAV 4.7.0 (CalDAV/CardDAV)
  - HAProxy load balancer (front-end, returns 503 when backend down)

EXPOSED SERVICES:
================================================================================

1. ROUNDCUBE WEBMAIL - LIVE LOGIN PAGE
   URL: https://kolab.btic.bf/roundcubemail/
   Status: 200 OK
   Title: "BTIC webmail :: Welcome to BTIC webmail"
   Skin: Kolab skin
   CSRF Token exposed in page source
   Session cookie: roundcube_sessid

2. CHWALA FILE MANAGER - LIVE LOGIN PAGE
   URL: https://kolab.btic.bf/chwala/
   Status: 200 OK
   Login form exposed (username/password)
   PHP session cookie: PHPSESSID
   This is Kolab's cloud file storage component

3. iRONY (CalDAV/CardDAV/WebDAV) - REQUIRES BASIC AUTH
   URL: https://kolab.btic.bf/iRony/
   Status: 401 Unauthorized
   WWW-Authenticate: Basic realm="sabre/dav"
   SabreDAV VERSION DISCLOSED: 4.7.0
   Accepts Basic authentication - brute-forceable

4. FREE/BUSY SERVICE - REQUIRES BASIC AUTH
   URL: https://kolab.btic.bf/freebusy/
   Status: 401 Unauthorized
   WWW-Authenticate: Basic realm="Kolab Free/Busy Service"
   Calendar availability data - can leak user schedules

5. ACTIVESYNC - REQUIRES BASIC AUTH
   URL: https://kolab.btic.bf/Microsoft-Server-ActiveSync
   Status: 401 Unauthorized
   WWW-Authenticate: Basic realm="ActiveSync for Kolab"
   Mobile device sync endpoint

6. IMAPS (Port 993) - LIVE
   Port 993 IMAPS is OPEN and serving the same SSL cert
   IMAP mailbox access with valid credentials

7. KOLAB WEB ADMIN - BLOCKED
   URL: https://kolab.btic.bf/kolab-webadmin/
   Status: 403 Forbidden (blocked by HAProxy rules)
   Admin panel exists but access restricted by IP/rules

RISK ASSESSMENT:
================================================================================
- CRITICAL: PHP 8.0.30 is END-OF-LIFE (no security patches since Nov 2023)
- HIGH: Multiple login pages exposed without rate limiting or 2FA visible
- HIGH: All auth endpoints use HTTP Basic Auth - susceptible to brute force
- HIGH: SabreDAV version 4.7.0 publicly disclosed
- HIGH: Chwala file manager login exposed - if breached, full file access
- MEDIUM: Server headers disclose full stack (Apache, PHP, OS versions)
- MEDIUM: iRony WebDAV could allow file enumeration with valid creds
- INFO: kolab-webadmin blocked but confirmed to exist

ADDITIONAL HOSTNAMES FROM CERT (additional attack surface):
  - autoconfig.btic.bf (email autoconfiguration)
  - autodiscover.btic.bf (email autodiscovery)
  - files.btic.bf (file sharing service)
  - mail.btic.bf (mail server)

RAW HEADERS (Roundcube):
  HTTP/1.1 200 OK
  server: Apache/2.4.62 (AlmaLinux)
  x-powered-by: PHP/8.0.30
  expires: Wed, 04 Mar 2026 08:16:02 GMT
  cache-control: private, no-cache, no-store, must-revalidate
  x-frame-options: sameorigin
  content-language: en
  set-cookie: roundcube_sessid=...; path=/; HttpOnly

RAW HEADERS (iRony/SabreDAV):
  HTTP/1.1 401 Unauthorized
  server: Apache/2.4.62 (AlmaLinux)
  x-powered-by: PHP/8.0.30
  www-authenticate: Basic realm="sabre/dav", charset="UTF-8"
  SabreDAV version in XML: 4.7.0