# Police Nationale du Burkina Faso
**Sector:** Law Enforcement
**Date:** 2026-03-03
**Source:** THOT Domain Intel + Manual Recon
## Domains
| Domain | Status |
|--------|--------|
| `police.gov.bf` | UP |
## Hosting & Infrastructure
- **IP:** Unknown (WhatWeb could not resolve)
- **Server:** Apache/2.4.51 (Debian)
- **PHP:** 7.3.32 (exposed via X-Powered-By)
- **OS:** Debian Linux (confirmed from server string)
## Tech Stack
### CMS / Framework
- **Joomla** (probably — detected by WhatWeb)
- **K2 v2.7.1** (by JoomlaWorks) — content extension for Joomla
- **SmartAddons.Com** template (meta generator)
- **SJ Financial** template
### Frontend / JavaScript
- jQuery
- Bootstrap
- Modernizr
- HTML5
### Analytics
- **Google Analytics:** Universal Analytics (account not extracted)
### Security Headers
- **X-Content-Powered-By:** K2 v2.7.1 (JoomlaWorks)
- **X-Logged-In:** False (Joomla session state exposed)
- **X-Powered-By:** PHP/7.3.32
- **P3P:** Privacy policy header set
- No HSTS, no CSP, no X-Frame-Options
### Cookies
- Joomla session cookie (hash-based)
- `cwGeoData` — geolocation tracking cookie
- `sj_financial_tpl` — template preference cookie
## Interesting Findings
- **Joomla with K2** — completely different CMS from the TYPO3 gov infrastructure
- Police website is NOT on the shared gov.bf TYPO3 platform
- Suggests independently managed by different team/contractor
- **Apache 2.4.51 on Debian** — specific version exposed (different from other gov sites hiding version)
- **PHP 7.3.32** — EOL version, very close to defense/securite (7.3.31) but slightly different patch = different server
- **X-Logged-In: False** header — Joomla is broadcasting authentication state to every visitor
- **cwGeoData cookie** — tracking visitor geolocation (set to "unknown+city|unknown+country|xx")
- **SmartAddons / SJ Financial template** — commercial Joomla template, "financial" themed = possibly repurposed template
- **contact@ytcvn.com** email found in page — YTCVN appears to be the web developer (Vietnamese company?)
- **No HSTS, no CSP** — significantly weaker security posture than defense/securite sites
- **Cache-Control: no-store** — dynamic pages, no caching
## Emails Discovered
- `contact@ytcvn.com` — web developer/contractor email (Vietnamese?)
- `infos@securite.gov.bf` — not directly on this domain
## DNS Records (5 found)
## Subdomains (1 found — www only)
## Security Concerns
- Full server version exposed (Apache 2.4.51 Debian)
- Full PHP version exposed (7.3.32)
- X-Logged-In header leaks auth state
- No HSTS, CSP, or modern security headers
- Joomla session management exposed
- Vietnamese contractor email suggests offshore development
## LATERAL FINDINGS (2026-03-04)
### Joomla Version CONFIRMED: 3.7.2 (May 2017)
**Source:** `/administrator/manifests/files/joomla.xml`
```xml
3.7.2
May 2017
```
This is a **7+ year old** Joomla installation with numerous known critical CVEs.
### Admin Panel OPEN
**URL:** `https://police.gov.bf/administrator/`
**Status:** 200 OK — Full Joomla admin login page accessible
- Login form at `/administrator/index.php`
- Session keepalive interval: 840000ms (14 minutes)
- Generator: "Joomla! - Open Source Content Management"
- K2 v2.7.1 confirmed in X-Content-Powered-By header
### Known CVEs for Joomla 3.7.x:
- **CVE-2017-8917** — SQL Injection (critical)
- **CVE-2017-11612** — Multiple XSS
- **CVE-2017-14596** — LDAP injection
- Multiple additional CVEs through version 3.9.x
### htaccess.txt
Joomla default htaccess file retrieved from `https://police.gov.bf/htaccess.txt`
## TODO
- [ ] Research CVE-2017-8917 applicability
- [ ] K2 v2.7.1 specific vulnerability check
- [ ] Investigate ytcvn.com contractor
- [ ] Google dorking: site:police.gov.bf filetype:pdf