================================================================================ BURKINA FASO MINISTRY WEBSITE PROBE RESULTS Date: 2026-03-04 Method: Passive OSINT (curl headers + CMS path checks) Probe Tool: curl with --connect-timeout 10 ================================================================================ ================================================================================ DOMAIN: finances.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.finances.gov.bf) REDIRECT CHAIN: finances.gov.bf -> 301 -> www.finances.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.finances.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Finance" Extension: bootstrap_package (background image from typo3conf/ext/bootstrap_package/) TYPO3 INSTALL TOOL: https://www.finances.gov.bf/typo3/install.php -> 200 OK Title: "Install tool on site Finance" Content: Full install tool HTML rendered with maintenance controller Redirect: /typo3/install/ -> 307 -> /typo3/install.php TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 200 OK (accessible, Last-Modified: Mon, 15 Apr 2019) TYPO3CONF: /typo3conf/ -> 403 Forbidden FILEADMIN: /fileadmin/ -> 403 Forbidden SYSEXT: /typo3/sysext/ -> 403 Forbidden CONTENT-LANGUAGE: ab SECURITY HEADERS: X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy: default-src: 'self'; X-UA-Compatible: IE=edge NOTES: - TYPO3 Install Tool is ACCESSIBLE (CRITICAL finding) - TYPO3 admin login panel exposed at /typo3/ - PHP version disclosed: 7.3.31 (EOL since Nov 2021) - typo3temp directory accessible - CSS timestamp 1717596796 = June 5 2024 (last TYPO3 cache rebuild) - Bootstrap Package extension detected ================================================================================ DOMAIN: sante.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.sante.gov.bf) REDIRECT CHAIN: sante.gov.bf -> 301 -> www.sante.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.sante.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Ministere de la Sante" TYPO3 INSTALL TOOL: https://www.sante.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 403 Forbidden CONTENT-LANGUAGE: fr CONTENT-LENGTH: 513288 SECURITY HEADERS: Same as finances.gov.bf NOTES: - Same TYPO3 platform as finances - Install tool accessible (CRITICAL) - Largest page payload (513KB) ================================================================================ DOMAIN: education.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.education.gov.bf) REDIRECT CHAIN: education.gov.bf -> 301 -> www.education.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.education.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Site Ministere" TYPO3 INSTALL TOOL: https://www.education.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 200 OK (accessible) ROBOTS.TXT: Returns TYPO3 Exception page (error handler info leak) CONTENT-LANGUAGE: fr SECURITY HEADERS: Same as finances.gov.bf NOTES: - Install tool accessible (CRITICAL) - /robots.txt triggers TYPO3 Exception (debug info leak) - typo3temp accessible ================================================================================ DOMAIN: justice.gov.bf ================================================================================ STATUS: ALIVE (200 OK, direct) SERVER: MoJ-Gateway (custom header, nginx behind reverse proxy) CMS: Laravel (PHP framework, confirmed by XSRF-TOKEN, session cookie patterns) SESSION COOKIE: ministere-de-la-justice-burkina-faso-session (HttpOnly, Secure, SameSite=Lax) XSRF TOKEN: Present in Set-Cookie (base64-encoded JSON with iv/value/mac/tag) ADMIN PANEL: /admin -> 301 redirect to /administrative-control-panel-secure-2024 /administrative-control-panel-secure-2024 -> 302 redirect to /secure-authentication-portal-2024 /secure-authentication-portal-2024 -> 200 OK (ADMIN LOGIN PAGE ACCESSIBLE) SENSITIVE PATHS: /.env -> 403 Forbidden (exists but blocked) /storage -> 301 redirect (exists, 403 on /storage/) /telescope -> 404 /horizon -> 404 /login -> 404 /register -> 404 /api -> 404 ROBOTS.TXT: "User-agent: * / Disallow:" (allows everything) SECURITY HEADERS: X-Frame-Options: DENY (stricter than TYPO3 sites) X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin + no-referrer Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: geolocation=(), microphone=(), camera=() Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Content-Security-Policy: detailed policy with whitelisted CDN sources NOTES: - Custom server header "MoJ-Gateway" reveals ministry identity - Admin panel URL leaked via redirect chain: /admin -> /administrative-control-panel-secure-2024 -> /secure-authentication-portal-2024 - Session cookie name reveals: "ministere-de-la-justice-burkina-faso" - .env file EXISTS (403, not 404) -- file is present but access denied - /storage directory EXISTS (301 redirect) - nginx revealed in 403 error pages (upstream server) - Best security headers of all probed sites - CSP allows: cdnjs.cloudflare.com, cdn.jsdelivr.net, connect.facebook.net, *.facebook.com, *.fbcdn.net ================================================================================ DOMAIN: mae.gov.bf (Foreign Affairs - Affaires Etrangeres) ================================================================================ STATUS: ALIVE (200 OK via www.mae.gov.bf) REDIRECT CHAIN: mae.gov.bf -> 301 -> www.mae.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.mae.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Ministere des Affaires Etrangeres et de la Cooperation" TYPO3 INSTALL TOOL: https://www.mae.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 403 Forbidden CONTENT-LANGUAGE: fr CONTENT-LENGTH: 100188 SECURITY HEADERS: Same as finances.gov.bf NOTES: - Install tool accessible (CRITICAL) - affaires-etrangeres.gov.bf DOES NOT RESOLVE (mae.gov.bf is the correct domain) ================================================================================ DOMAIN: affaires-etrangeres.gov.bf ================================================================================ STATUS: DOWN / DOES NOT RESOLVE NOTES: No DNS resolution on HTTP or HTTPS. Use mae.gov.bf instead. ================================================================================ DOMAIN: agriculture.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.agriculture.gov.bf) REDIRECT CHAIN: agriculture.gov.bf -> 301 -> www.agriculture.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.agriculture.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Ministere de l'Agriculture et des Amenagements Hydro-agricole" TYPO3 INSTALL TOOL: https://www.agriculture.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 403 Forbidden CONTENT-LANGUAGE: fr CONTENT-LENGTH: 90530 SECURITY HEADERS: Same as finances.gov.bf ================================================================================ DOMAIN: commerce.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.commerce.gov.bf) REDIRECT CHAIN: commerce.gov.bf -> 301 -> www.commerce.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.commerce.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Ministere" TYPO3 INSTALL TOOL: https://www.commerce.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 403 Forbidden CONTENT-LANGUAGE: fr CONTENT-LENGTH: 123052 SECURITY HEADERS: Same as finances.gov.bf ================================================================================ DOMAIN: mines.gov.bf ================================================================================ STATUS: PARTIALLY ALIVE (HTTP redirects to HTTPS, but HTTPS times out) HTTP: 301 -> https://mines.gov.bf/ (then hangs on TLS) HTTPS: CONNECTION TIMEOUT SERVER: Apache (from HTTP header) NOTES: DNS resolves, Apache is running, but HTTPS/TLS is broken or blocked ================================================================================ DOMAIN: transport.gov.bf ================================================================================ STATUS: DOWN / CONNECTION TIMEOUT NOTES: No response on HTTP or HTTPS within 10-15 seconds ================================================================================ DOMAIN: culture.gov.bf ================================================================================ STATUS: PARTIALLY ALIVE (HTTP redirects to HTTPS, but HTTPS times out) HTTP: 301 -> https://culture.gov.bf/ (then hangs on TLS) HTTPS: CONNECTION TIMEOUT SERVER: Apache (from HTTP header) NOTES: DNS resolves, Apache running, HTTPS/TLS broken or blocked ================================================================================ DOMAIN: jeunesse.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.jeunesse.gov.bf) REDIRECT CHAIN: jeunesse.gov.bf -> 301 -> www.jeunesse.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.jeunesse.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Ministere" TYPO3 INSTALL TOOL: https://www.jeunesse.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 403 Forbidden CONTENT-LANGUAGE: fr CONTENT-LENGTH: 72415 SECURITY HEADERS: Same as finances.gov.bf ================================================================================ DOMAIN: travail.gov.bf ================================================================================ STATUS: REDIRECT TO mailer.gov.bf (government mail portal) HTTP: 301 -> https://mailer.gov.bf/ HTTPS: CONNECTION TIMEOUT (direct) SERVER: nginx REDIRECT TARGET: mailer.gov.bf -> 302 -> Keycloak OIDC login KEYCLOAK: Realm: global.virt Client: global.virt-cli OIDC Discovery: https://mailer.gov.bf/keycloak/realms/global.virt/.well-known/openid-configuration Endpoints exposed: - Authorization: /keycloak/realms/global.virt/protocol/openid-connect/auth - Token: /keycloak/realms/global.virt/protocol/openid-connect/token - Introspection: /keycloak/realms/global.virt/protocol/openid-connect/token/introspect - UserInfo: /keycloak/realms/global.virt/protocol/openid-connect/userinfo - JWKS: /keycloak/realms/global.virt/protocol/openid-connect/certs - Registration: /keycloak/realms/global.virt/clients-registrations/openid-connect - Device Auth: /keycloak/realms/global.virt/protocol/openid-connect/auth/device - CIBA: /keycloak/realms/global.virt/protocol/openid-connect/ext/ciba/auth - PAR: /keycloak/realms/global.virt/protocol/openid-connect/ext/par/request Grant types: authorization_code, implicit, refresh_token, password, client_credentials, CIBA, device_code NOTE: "password" grant type enabled (Resource Owner Password Credentials -- allows direct username/password auth) COOKIES: BM_REDIRECT=/; Path=/; Secure SECURITY HEADERS: X-Frame-Options: SAMEORIGIN, HSTS, nosniff, no-referrer NOTES: - travail.gov.bf is actually the government email portal (mailer.gov.bf) - Full Keycloak OIDC configuration exposed - Password grant type enabled (potential for brute-force against user credentials) - Client registration endpoint exposed - Realm name "global.virt" suggests virtual hosting setup ================================================================================ DOMAIN: habitat.gov.bf ================================================================================ STATUS: DOWN / CONNECTION TIMEOUT NOTES: No response on HTTP or HTTPS ================================================================================ DOMAIN: communication.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.communication.gov.bf) REDIRECT CHAIN: communication.gov.bf -> 301 -> www.communication.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.communication.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Site Ministere" TYPO3 INSTALL TOOL: https://www.communication.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 403 Forbidden CONTENT-LANGUAGE: fr CONTENT-LENGTH: 172700 SECURITY HEADERS: Same as finances.gov.bf ================================================================================ DOMAIN: action-humanitaire.gov.bf ================================================================================ STATUS: DOWN / CONNECTION TIMEOUT NOTES: No response on HTTP or HTTPS ================================================================================ DOMAIN: fonction-publique.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.fonction-publique.gov.bf) REDIRECT CHAIN: fonction-publique.gov.bf -> 301 -> www.fonction-publique.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.fonction-publique.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Ministere" TYPO3 INSTALL TOOL: https://www.fonction-publique.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 200 OK (accessible) CONTENT-LANGUAGE: fr CONTENT-LENGTH: 91728 SECURITY HEADERS: Same as finances.gov.bf NOTES: - typo3temp accessible ================================================================================ DOMAIN: sport.gov.bf ================================================================================ STATUS: DOWN / CONNECTION TIMEOUT NOTES: No response on HTTP or HTTPS ================================================================================ DOMAIN: environnement.gov.bf ================================================================================ STATUS: ALIVE (200 OK via www.environnement.gov.bf) REDIRECT CHAIN: environnement.gov.bf -> 301 -> www.environnement.gov.bf -> 307 -> /accueil -> 200 SERVER: Apache X-POWERED-BY: PHP/7.3.31 CMS: TYPO3 (confirmed) TYPO3 LOGIN: https://www.environnement.gov.bf/typo3/ -> 200 OK Title: "TYPO3 CMS Login: Site Ministere" TYPO3 INSTALL TOOL: https://www.environnement.gov.bf/typo3/install.php -> 200 OK TYPO3 CONFIG: /typo3conf/LocalConfiguration.php -> 200 (PHP executes, empty body) TYPO3TEMP: /typo3temp/ -> 200 OK (accessible) SET-COOKIE: fe_typo_user=ff402cdc5a17ee4619baf5b0fc1d5970 (TYPO3 frontend user cookie) + fe_typo_user=deleted (immediately deleted -- session handling artifact) CONTENT-LANGUAGE: ab SECURITY HEADERS: Same as finances.gov.bf NOTES: - fe_typo_user cookie LEAKS in response headers (TYPO3 frontend auth cookie) - typo3temp accessible - Content-Language set to "ab" (Abkhazian) -- misconfiguration ================================================================================ DOMAIN: economie.gov.bf ================================================================================ STATUS: DOWN / CONNECTION TIMEOUT NOTES: No response on HTTP or HTTPS ================================================================================ DOMAIN: transition.gov.bf ================================================================================ STATUS: DOWN / CONNECTION TIMEOUT NOTES: No response on HTTP or HTTPS ================================================================================ DOMAIN: servicepublic.gov.bf ================================================================================ STATUS: ALIVE (200 OK, direct, no www redirect) SERVER: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 FULL VERSION STRING EXPOSED IN HEADERS CMS: Laravel (PHP framework, confirmed by XSRF-TOKEN, session cookie, csrf-token meta tag) SESSION COOKIE: service_public_burkinabe_session (HttpOnly, path=/) XSRF TOKEN: Present (base64-encoded JSON with iv/value/mac) CSRF META TAG: Present in HTML source SENSITIVE PATHS: /.env -> 404 (not blocked, file likely absent or moved) /storage -> 301 redirect to /storage/ -> 403 Forbidden /admin -> 404 /login -> 404 /telescope -> 404 /horizon -> 404 ROBOTS.TXT: "User-agent: * / Disallow:" (allows everything) SECURITY HEADERS: NONE besides Cache-Control: no-cache, private NOTES: - CRITICAL: Full server version disclosure: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 - Apache 2.4.6 is from 2013 (CentOS 7 default) - OpenSSL 1.0.2k-fips is from Jan 2017 (EOL since Dec 2019) - PHP 7.2.34 is EOL since Nov 2020 - NO security headers (no HSTS, no X-Frame-Options, no CSP, no XSS protection) - /storage directory exists (403) - Session cookie name reveals: "service_public_burkinabe" - Session cookie MISSING "secure" flag and "samesite" attribute ================================================================================ ================================================================================ SUMMARY ================================================================================ ================================================================================ DOMAINS ALIVE: 12/21 1. finances.gov.bf - ALIVE (TYPO3) 2. sante.gov.bf - ALIVE (TYPO3) 3. education.gov.bf - ALIVE (TYPO3) 4. justice.gov.bf - ALIVE (Laravel) 5. mae.gov.bf - ALIVE (TYPO3) [Foreign Affairs] 6. agriculture.gov.bf - ALIVE (TYPO3) 7. commerce.gov.bf - ALIVE (TYPO3) 8. jeunesse.gov.bf - ALIVE (TYPO3) 9. communication.gov.bf - ALIVE (TYPO3) 10. fonction-publique.gov.bf - ALIVE (TYPO3) 11. environnement.gov.bf - ALIVE (TYPO3) 12. servicepublic.gov.bf - ALIVE (Laravel) DOMAINS PARTIALLY ALIVE (HTTP only, HTTPS broken): 13. mines.gov.bf - HTTP 301 -> HTTPS (TLS timeout) 14. culture.gov.bf - HTTP 301 -> HTTPS (TLS timeout) DOMAINS REDIRECTED: 15. travail.gov.bf - Redirects to mailer.gov.bf (Keycloak SSO) DOMAINS DOWN/UNREACHABLE: 16. affaires-etrangeres.gov.bf - No DNS resolution 17. transport.gov.bf - No response 18. habitat.gov.bf - No response 19. action-humanitaire.gov.bf - No response 20. sport.gov.bf - No response 21. economie.gov.bf - No response 22. transition.gov.bf - No response ================================================================================ CMS DISTRIBUTION ================================================================================ TYPO3 CMS: 10 sites (massive shared infrastructure) - finances.gov.bf, sante.gov.bf, education.gov.bf, mae.gov.bf, agriculture.gov.bf, commerce.gov.bf, jeunesse.gov.bf, communication.gov.bf, fonction-publique.gov.bf, environnement.gov.bf - All share: Apache + PHP/7.3.31 + identical security headers - All have: /typo3/ login (200), /typo3/install.php (200), /typo3conf/LocalConfiguration.php (200) - Bootstrap Package extension installed across all Laravel Framework: 2 sites - justice.gov.bf (custom MoJ-Gateway server, good security headers) - servicepublic.gov.bf (Apache/CentOS, poor security headers) Keycloak SSO: 1 site (mailer.gov.bf via travail.gov.bf redirect) Unknown (down/unreachable): 8 domains ================================================================================ ADMIN PANELS EXPOSED ================================================================================ 1. TYPO3 Backend Login (/typo3/) - 200 OK on ALL 10 TYPO3 sites Risk: Login brute-force, credential stuffing 2. TYPO3 Install Tool (/typo3/install.php) - 200 OK on ALL 10 TYPO3 sites Risk: CRITICAL - Install tool can modify DB settings, reset passwords, clear caches, view system info, execute maintenance tasks 3. justice.gov.bf Admin Panel - 200 OK Path: /secure-authentication-portal-2024 Discovered via: /admin -> 301 -> /administrative-control-panel-secure-2024 -> 302 -> /secure-authentication-portal-2024 Risk: URL obfuscation defeated by following redirects 4. Keycloak Admin (mailer.gov.bf) Full OIDC discovery exposed with all endpoints Password grant type enabled ================================================================================ CRITICAL FINDINGS (SEVERITY: HIGH TO CRITICAL) ================================================================================ [CRITICAL] TYPO3 Install Tool Accessible on 10 Government Sites All 10 TYPO3-based ministry websites expose /typo3/install.php (HTTP 200). The install tool provides system maintenance capabilities including database management, configuration editing, and password reset. This is protected only by an install tool password, not the backend login. Affected: finances, sante, education, mae, agriculture, commerce, jeunesse, communication, fonction-publique, environnement [HIGH] Outdated Software Stack (TYPO3 cluster) PHP 7.3.31 -- EOL since November 28, 2021 (4+ years without security patches) All 10 TYPO3 sites share this same vulnerable PHP version. [HIGH] Severely Outdated Software Stack (servicepublic.gov.bf) Apache 2.4.6 -- from 2013 (CentOS 7 default, known CVEs) OpenSSL 1.0.2k-fips -- from 2017 (EOL Dec 2019, many CVEs including Heartbleed-era) PHP 7.2.34 -- EOL since November 30, 2020 Full version strings disclosed in every HTTP response header. [HIGH] Admin Panel URL Leak (justice.gov.bf) /admin redirects reveal the hidden admin panel path: /administrative-control-panel-secure-2024 -> /secure-authentication-portal-2024 Security-through-obscurity defeated by a simple curl -L. [HIGH] Keycloak Password Grant Enabled (mailer.gov.bf) The OIDC configuration exposes that the "password" grant type is enabled, allowing direct username/password authentication without OAuth flow. Combined with exposed token endpoint, this enables credential brute-forcing. [MEDIUM] TYPO3 Backend Login Exposed on 10 Sites /typo3/ returns 200 OK with login form on all TYPO3 sites. No IP restriction, no rate limiting detected, no CAPTCHA visible. [MEDIUM] fe_typo_user Cookie Leak (environnement.gov.bf) TYPO3 frontend user session cookie set and immediately deleted in response. Reveals TYPO3 session management configuration. [MEDIUM] Missing Security Headers (servicepublic.gov.bf) No X-Frame-Options, no HSTS, no CSP, no X-Content-Type-Options. Vulnerable to clickjacking, MIME sniffing, and XSS attacks. [MEDIUM] TYPO3 Exception Page on robots.txt (education.gov.bf) /robots.txt triggers a TYPO3 Exception page with debug-style formatting. May leak internal paths or error details to attackers. [LOW] Content-Language Misconfiguration finances.gov.bf and environnement.gov.bf return Content-Language: "ab" (Abkhazian) instead of "fr" (French). Indicates misconfigured TYPO3 site settings. [LOW] typo3temp Directory Accessible finances.gov.bf, education.gov.bf, fonction-publique.gov.bf, environnement.gov.bf return 200 OK for /typo3temp/ (cached/compiled assets directory). [INFO] .env File Exists (justice.gov.bf) Returns 403 Forbidden (not 404), indicating the file exists but is blocked. Proper access control is in place but file should ideally not exist in webroot. [INFO] Session Cookie Names Reveal Application Identity justice.gov.bf: "ministere-de-la-justice-burkina-faso-session" servicepublic.gov.bf: "service_public_burkinabe_session" [INFO] servicepublic.gov.bf Session Cookie Missing Secure Flag The session cookie is set without the "secure" flag and without "samesite" attribute, potentially allowing session hijacking over HTTP or cross-site request forgery. ================================================================================ INFRASTRUCTURE OBSERVATIONS ================================================================================ 1. SHARED TYPO3 PLATFORM All 10 TYPO3 sites appear to be on the same hosting infrastructure: - Identical Apache + PHP/7.3.31 stack - Identical security header set (word-for-word same CSP, HSTS, etc.) - Same redirect pattern: bare domain -> 301 -> www -> 307 -> /accueil -> 200 - Same TYPO3 Bootstrap Package extension - Likely a single server or cluster hosting all ministry TYPO3 sites - A compromise of one could compromise all 10 2. JUSTICE.GOV.BF IS INDEPENDENTLY MANAGED Different stack (Laravel + nginx + custom MoJ-Gateway header) Better security posture (CORS, CSP, Permissions-Policy) But admin panel URL leaked through redirect chain 3. SERVICEPUBLIC.GOV.BF IS THE WEAKEST LINK Oldest software stack (Apache 2.4.6 from 2013) No security headers whatsoever Full version disclosure in every response Session cookie missing secure flag 4. GOVERNMENT MAIL INFRASTRUCTURE (mailer.gov.bf) Keycloak SSO protecting what appears to be a webmail portal Full OIDC configuration publicly accessible Password grant type enabled (unusual for webmail) Realm "global.virt" suggests virtualized hosting ================================================================================ END OF REPORT ================================================================================