================================================================================ BURKINA FASO INFRASTRUCTURE SUBDOMAIN PROBE - COMPREHENSIVE RESULTS ================================================================================ Date: 2026-03-04 Probed by: Automated curl -sk with full headers Total targets: 17 subdomains across 4 categories Responsive: 8 targets (47%) Critical findings: 3 (separate detailed files created) ================================================================================ TABLE OF CONTENTS: 1. EXECUTIVE SUMMARY 2. CPANEL INSTANCES (7 targets) 3. DEVOPS/MONITORING - BTIC (5 targets) 4. WEBMAIL - PRIVATE SECTOR (3 targets) 5. SSL CERTIFICATE INTELLIGENCE 6. TECHNOLOGY FINGERPRINTING SUMMARY 7. UNREACHABLE TARGETS ================================================================================ 1. EXECUTIVE SUMMARY ================================================================================ CRITICAL FINDINGS (separate files with full details): [1] kolab.btic.bf (cloud.btic.bf) - Kolab Groupware fully exposed -> See: CRITICAL-kolab-btic-bf.txt [2] webmail.cci.bf - Zimbra Collaboration Suite with SOAP API -> See: CRITICAL-zimbra-webmail-cci-bf.txt [3] cpanel.sig.bf - cPanel/WHM/Webmail all exposed, hostname leaked -> See: CRITICAL-cpanel-sig-bf.txt HIGH-VALUE FINDINGS: - BTIC Kolab: 6 services exposed (Roundcube, Chwala files, CalDAV, FreeBusy, ActiveSync, IMAPS) running EOL PHP 8.0.30 on AlmaLinux - Zimbra CCI.BF: SOAP API, ActiveSync, Preauth endpoint all accessible - cPanel SIG.BF: WHM admin panel (root access) on port 2087 - 2x OpenLiteSpeed default SSL certs (edifice.bf, edimedia.bf) - openresty/1.27.1.1 version disclosure (unibio.bf) UNREACHABLE (DNS failure or connection timeout): zabbix.btic.bf, git2.btic.bf, cloud2.btic.bf, intranet.softnet.bf, webmail.airtel.bf, webmail.softnet.bf, cpanel.onaser.bf, cpanel.globalsolutions.bf, cpanel.universiteenligne.bf ================================================================================ 2. CPANEL INSTANCES ================================================================================ 2.1 cpanel.sig.bf [LIVE - CRITICAL] IP: 5.9.59.157 (Hetzner, Germany) Backend: bm.serveurhosting.net Port 2083/HTTPS: cPanel Login - 200 OK Server: (not in header - cPanel native) Content-Type: text/html; charset="utf-8" Security: X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff Cookies: cprelogin, cpsession, roundcube_sessid (all HttpOnly+Secure) cPanel Copyright 2026 Magic revisions: 1749858375 (Jun 2025), 1748449569 (May 2025) Port 2082/HTTP: 301 -> https://bm.serveurhosting.net:2083/ [HOSTNAME LEAK] Port 443/HTTPS: cPanel Login - 200 OK Server: Apache Port 2087/HTTPS: WHM Login - 200 OK [ROOT ADMIN PANEL] Cookies: whostmgrrelogin, whostmgrsession Port 2096/HTTPS: Webmail Login - 200 OK Cookies: webmailrelogin, webmailsession, roundcube_cookies robots.txt (443): Disallow: / JSON API: /json-api/applist -> "Access denied" (exists, auth required) Login API: /login/?login_only=1 -> {"status":0,"message":"no_username"} SSL: CN=*.sig.bf (LE R13), valid 2026-01-09 to 2026-04-09 SANs: *.sig.bf, sig.bf, www.mailing.sig.bf, www.sondage.sig.bf, www.talk.sig.bf -------------------------------------------------------------------------------- 2.2 cpanel.onaser.bf [UNREACHABLE] DNS: Does not resolve All ports (2082, 2083, 443): Connection failed / timeout -------------------------------------------------------------------------------- 2.3 cpanel.edifice.bf [LIVE - LITESPEED] IP: 209.16.158.164 Port 443/HTTPS: 200 OK Server: LiteSpeed Content-Type: text/html Content-Length: 4 Body: "n0c" (PlanetHoster n0c platform marker) ETag: "4-6970e90e-63715;;;" Last-Modified: Wed, 21 Jan 2026 14:56:14 GMT Alt-Svc: h3=":443" (HTTP/3 enabled) Port 2083/HTTPS: Timeout (no cPanel on this port) Port 2082/HTTP: Timeout Port 2087/HTTPS (WHM): Timeout Port 7080/HTTPS (LS Admin): Timeout Port 8088/HTTPS: Timeout robots.txt (443): 404 Not Found (LiteSpeed branded) SSL: SELF-SIGNED - CN=openlitespeed.host (LiteSpeedCommunity, NJ, Testing) Valid: 2026-01-27 to 2039-10-06 DEFAULT CERT NOT REPLACED - confirms fresh/unconfigured OpenLiteSpeed ASSESSMENT: PlanetHoster "n0c" shared hosting, OpenLiteSpeed with default SSL. cPanel ports not exposed. Minimal configuration. -------------------------------------------------------------------------------- 2.4 cpanel.edimedia.bf [LIVE - LITESPEED] IP: 209.16.158.58 Port 443/HTTPS: 200 OK Server: LiteSpeed Content-Length: 4 Body: "n0c" (PlanetHoster n0c platform) ETag: "4-6970e90e-636b0;;;" Last-Modified: Wed, 21 Jan 2026 14:56:14 GMT Port 2083/HTTPS: Timeout Port 2082/HTTP: Timeout Port 2087/HTTPS (WHM): Timeout robots.txt (443): 404 Not Found (LiteSpeed branded) SSL: SELF-SIGNED - CN=openlitespeed.host (identical to edifice.bf) Same LiteSpeedCommunity testing cert ASSESSMENT: Same PlanetHoster n0c shared hosting as edifice.bf. Almost identical setup. cPanel not exposed on any port. -------------------------------------------------------------------------------- 2.5 cpanel.globalsolutions.bf [UNREACHABLE] DNS: Does not resolve All ports: Connection failed -------------------------------------------------------------------------------- 2.6 cpanel.unibio.bf [LIVE - OPENRESTY] IP: 91.134.190.182 Port 443/HTTPS: 415 Unsupported Media Type Server: openresty/1.27.1.1 [VERSION DISCLOSED] Content-Type: text/html All paths return 415 (GET, POST, /robots.txt) Port 2083/HTTPS: Same 415 response Port 2082/HTTP: Same 415 response Port 8080/HTTP: Timeout Port 8443/HTTPS: Timeout SSL: CN=*.unibio.bf (LE E8), valid 2026-02-18 to 2026-05-19 SANs: *.unibio.bf, unibio.bf, www.beta.unibio.bf ASSESSMENT: openresty/1.27.1.1 reverse proxy with misconfigured backend. All requests get 415 - suggests API gateway expecting specific Content-Type headers. Version disclosure is notable. Subdomain www.beta.unibio.bf in cert suggests dev environment. -------------------------------------------------------------------------------- 2.7 cpanel.universiteenligne.bf [UNREACHABLE] DNS: Does not resolve All ports: Connection failed ================================================================================ 3. DEVOPS/MONITORING - BTIC (Burkina TIC) ================================================================================ 3.1 zabbix.btic.bf [UNREACHABLE] DNS: Does not resolve Tested ports: 80, 443, 8080, 8443, 10050, 10051 All connections failed/timed out STATUS: Zabbix monitoring either internal-only or decommissioned -------------------------------------------------------------------------------- 3.2 git2.btic.bf [UNREACHABLE] DNS: Does not resolve Tested ports: 80, 443, 3000 (Gitea), 8080, 8443, 9090 All connections failed (HTTP and HTTPS tested on each port) STATUS: Git server either internal-only or decommissioned -------------------------------------------------------------------------------- 3.3 cloud.btic.bf [LIVE - KOLAB GROUPWARE - CRITICAL] IP: 149.56.240.77 (OVH Canada) Real hostname: kolab.btic.bf (from SSL cert) *** DETAILED FINDINGS IN: CRITICAL-kolab-btic-bf.txt *** HTTPS (443): 503 Service Unavailable (HAProxy LB - backend down for cloud.btic.bf vhost) But kolab.btic.bf vhost on same IP is FULLY LIVE: kolab.btic.bf / (302 -> /roundcubemail/) kolab.btic.bf /roundcubemail/ : 200 OK - Roundcube 1.6.12 login kolab.btic.bf /chwala/ : 200 OK - Kolab file manager login kolab.btic.bf /iRony/ : 401 - SabreDAV 4.7.0 (Basic auth) kolab.btic.bf /freebusy/ : 401 - Kolab Free/Busy (Basic auth) kolab.btic.bf /Microsoft-Server-ActiveSync : 401 (Basic auth) kolab.btic.bf /kolab-webadmin/ : 403 Forbidden (IP restricted) kolab.btic.bf :993 IMAPS : OPEN (valid SSL cert) Stack: Apache/2.4.62 (AlmaLinux), PHP/8.0.30 (EOL!), Roundcube 1.6.12 SSL SANs: autoconfig.btic.bf, autodiscover.btic.bf, cloud.btic.bf, files.btic.bf, kolab.btic.bf, mail.btic.bf -------------------------------------------------------------------------------- 3.4 cloud2.btic.bf [UNREACHABLE] DNS: Does not resolve All connections failed -------------------------------------------------------------------------------- 3.5 intranet.softnet.bf [UNREACHABLE] DNS: Does not resolve All connections failed ================================================================================ 4. WEBMAIL - PRIVATE SECTOR ================================================================================ 4.1 webmail.airtel.bf [UNREACHABLE] DNS: Does not resolve All connections failed NOTE: Airtel Burkina Faso may use internal DNS or cloud-based email -------------------------------------------------------------------------------- 4.2 webmail.cci.bf [LIVE - ZIMBRA - CRITICAL] IP: 77.246.83.156, 77.246.83.140 (dual A records, load balanced) ORG: CCI du Burkina Faso (Chamber of Commerce and Industry) HOSTED BY: Exoca (Amiens, France) via open2mail.fr managed Zimbra platform *** DETAILED FINDINGS IN: CRITICAL-zimbra-webmail-cci-bf.txt *** HTTPS (443): 200 OK - Zimbra Web Client Sign In HTTP (80): 302 -> https://webmail.cci.bf/ Services: / : Zimbra login (Harmony skin, build v=251110135723) /service/soap/ : SOAP API active (auth required) /service/upload : Upload servlet active (POST only) /service/preauth: Preauth SSO active (needs preauth key) /Microsoft-Server-ActiveSync: "Mobile service is up & running" /autodiscover/autodiscover.xml: 200 OK (email autoconfiguration) /zimbra/h/ : 403 Forbidden (HTML client blocked) :7071 : Timeout (admin console filtered) robots.txt: Allow: / (allows full indexing!) SSL: CN=*.open2mail.fr (GlobalSign OV), Exoca hosting SANs: *.open2mail.fr, webmail.media2001.be, owa.open2mail.fr, mail.open2mail.fr, autodiscover.open2mail.fr -------------------------------------------------------------------------------- 4.3 webmail.softnet.bf [UNREACHABLE] DNS: Does not resolve All connections failed ================================================================================ 5. SSL CERTIFICATE INTELLIGENCE ================================================================================ TARGET | SUBJECT | ISSUER | NOTES ------------------------|----------------------|-------------|------------------- cpanel.sig.bf | *.sig.bf | LE R13 | Wildcard, 5 SANs cpanel.edifice.bf | openlitespeed.host | Self-signed | DEFAULT CERT cpanel.edimedia.bf | openlitespeed.host | Self-signed | DEFAULT CERT cpanel.unibio.bf | *.unibio.bf | LE E8 | Wildcard, 3 SANs webmail.cci.bf | *.open2mail.fr | GlobalSign | 3rd party hosting kolab.btic.bf | kolab.btic.bf | LE R13 | 6 SANs, all BTIC KEY SSL INTELLIGENCE: - cpanel.sig.bf reveals: mailing.sig.bf, sondage.sig.bf, talk.sig.bf - cpanel.unibio.bf reveals: beta.unibio.bf (dev environment) - webmail.cci.bf reveals: hosted by Exoca (open2mail.fr) in France - kolab.btic.bf reveals: autoconfig, autodiscover, files, mail .btic.bf - edifice.bf & edimedia.bf: BOTH using default OpenLiteSpeed test certs (indicates fresh/unconfigured PlanetHoster instances) ================================================================================ 6. TECHNOLOGY FINGERPRINTING SUMMARY ================================================================================ SERVER SOFTWARE IDENTIFIED: - cPanel & WHM (cpanel.sig.bf) - Copyright 2026, recent updates - Apache (cpanel.sig.bf on port 443) - Apache/2.4.62 AlmaLinux (kolab.btic.bf) - nginx (webmail.cci.bf - Zimbra proxy) - openresty/1.27.1.1 (cpanel.unibio.bf) - LiteSpeed (cpanel.edifice.bf, cpanel.edimedia.bf) - PHP/8.0.30 (kolab.btic.bf) - END OF LIFE - SabreDAV 4.7.0 (kolab.btic.bf) - Roundcube 1.6.12 (kolab.btic.bf) - Zimbra ~10.x NE/FOSS (webmail.cci.bf, build Nov 2025) - HAProxy (cloud.btic.bf front-end) APPLICATION PLATFORMS: - Kolab Groupware (BTIC) - Zimbra Collaboration Suite (CCI, via Exoca/open2mail.fr) - cPanel/WHM (SIG, via serveurhosting.net) - PlanetHoster n0c (edifice.bf, edimedia.bf) HOSTING PROVIDERS: - Hetzner, Germany (cpanel.sig.bf - 5.9.59.157) - OVH Canada (cloud/kolab.btic.bf - 149.56.240.77) - Exoca/open2mail.fr, France (webmail.cci.bf - 77.246.83.x) - PlanetHoster (edifice.bf - 209.16.158.164, edimedia.bf - 209.16.158.58) - OVH (cpanel.unibio.bf - 91.134.190.182) ================================================================================ 7. UNREACHABLE TARGETS (9 of 17) ================================================================================ TARGET | DNS STATUS | NOTES -----------------------------|---------------------|------------------------- cpanel.onaser.bf | No DNS resolution | cpanel.globalsolutions.bf | No DNS resolution | cpanel.universiteenligne.bf | No DNS resolution | zabbix.btic.bf | No DNS resolution | Monitoring - likely internal git2.btic.bf | No DNS resolution | Git server - likely internal cloud2.btic.bf | No DNS resolution | intranet.softnet.bf | No DNS resolution | Intranet - expected webmail.airtel.bf | No DNS resolution | Airtel BF - may use cloud webmail.softnet.bf | No DNS resolution | NOTE: Many BTIC services (zabbix, git2, cloud2) likely resolve only on internal DNS. The Kolab server (cloud.btic.bf/kolab.btic.bf) being the only publicly-resolving BTIC service suggests others are VPN/internal only. ================================================================================ END OF REPORT ================================================================================