================================================================================ CRITICAL FINDING: Zimbra Collaboration Suite - webmail.cci.bf Probed: 2026-03-04 ================================================================================ TARGET: webmail.cci.bf IP: 77.246.83.156, 77.246.83.140 (dual A records - load balanced) ORG: CCI.BF (Chambre de Commerce et d'Industrie du Burkina Faso) SSL CERTIFICATE: Subject: C=FR, ST=Somme, L=Amiens, O=Exoca, CN=*.open2mail.fr Issuer: GlobalSign RSA OV SSL CA 2018 Valid: 2025-08-22 to 2026-09-23 SANs: *.open2mail.fr, webmail.media2001.be, owa.open2mail.fr, mail.open2mail.fr, autodiscover.open2mail.fr, www.open2mail.fr, open2mail.fr NOTE: This is a MANAGED Zimbra service by Exoca (French ISP in Amiens) The CCI.BF webmail is hosted by Exoca under the open2mail.fr platform TECHNOLOGY STACK: - Zimbra Collaboration Suite (Web Client) - Build: v=251110135723 (approx. November 10, 2025 build) - Skin: Harmony - Frontend: nginx - Backend: Jetty (Java servlet container) - ActiveSync: ENABLED and running - SOAP API: Active (requires auth) - Preauth: Enabled (parameter validation active) EXPOSED SERVICES: ================================================================================ 1. ZIMBRA WEB CLIENT LOGIN - LIVE URL: https://webmail.cci.bf/ (redirects from HTTP to HTTPS) Status: 200 OK Title: "Zimbra Web Client Sign In" Login form with username/password CSRF token: ZM_LOGIN_CSRF cookie set Client options: Default, Classic, Modern 2. SOAP API ENDPOINT - ACTIVE URL: https://webmail.cci.bf/service/soap/ Status: 400 (GET not supported - expects POST SOAP requests) Servlet: SoapServlet GetVersionInfo: BLOCKED ("permission denied: Version info is not available") GetInfo: Requires auth ("no valid authtoken present") 3. ACTIVESYNC - LIVE AND RUNNING URL: https://webmail.cci.bf/Microsoft-Server-ActiveSync Status: 200 OK Response: "Mobile service is up & running." Mobile sync fully operational 4. UPLOAD SERVLET - ACTIVE URL: https://webmail.cci.bf/service/upload Status: 400 (GET not supported - expects POST uploads) 5. PREAUTH ENDPOINT - ACTIVE URL: https://webmail.cci.bf/service/preauth Status: 400 ("invalid request: missing required param: preauth") Preauth SSO is configured - could be exploited with key disclosure 6. AUTODISCOVER - ACTIVE URL: https://webmail.cci.bf/autodiscover/autodiscover.xml Status: 200 OK (empty body) Email client autoconfiguration active 7. ADMIN CONSOLE (Port 7071) - BLOCKED/FILTERED URL: https://webmail.cci.bf:7071/ Status: Connection timeout (filtered) 8. HTML CLIENT - BLOCKED URL: https://webmail.cci.bf/zimbra/h/ Status: 403 Forbidden ROBOTS.TXT: User-agent: * Allow: / NOTE: Allows full indexing - poor security posture RISK ASSESSMENT: ================================================================================ - HIGH: Zimbra SOAP API accessible (GetVersionInfo blocked but other calls may work) - HIGH: Preauth endpoint active - if preauth key is leaked, instant account takeover - HIGH: ActiveSync running - mobile brute force vector - HIGH: robots.txt allows full crawling - MEDIUM: Hosted by third party (Exoca/open2mail.fr) - supply chain risk - MEDIUM: Version partially disclosed via CSS build parameter (Nov 2025) - INFO: Admin console properly firewalled - INFO: HTML client access restricted HOSTING PROVIDER DETAILS: Exoca (French ISP/hosting) Location: Amiens, Somme, France Platform: open2mail.fr (managed Zimbra hosting) Other clients on same cert: webmail.media2001.be RAW HEADERS: HTTP/1.1 200 OK Server: nginx X-Frame-Options: SAMEORIGIN Expires: -1 Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Language: en-US Set-Cookie: ZM_TEST=true; Secure Set-Cookie: ZM_LOGIN_CSRF=...; Secure; HttpOnly Vary: User-Agent X-UA-Compatible: IE=edge