# UNZ.BF (Universite Norbert Zongo) - Joomla Probe Report **Date:** 2026-03-04 **Target:** https://unz.bf ## Platform Details - **CMS:** Joomla 5.3.0 (confirmed via /administrator/manifests/files/joomla.xml) - **Language:** French (fr-FR interface) - **Hosting:** LWS.fr (French hosting provider - revealed in error pages) - **Admin Panel:** https://unz.bf/administrator/ (200 OK, login page accessible) - **Edge Cache:** Active (Edge-Cache-Engine-Mode: ACTIVE) - **Anti-bot:** Anubis (X-Anubis-Action: ALLOW) - **Generator Meta:** Joomla! - Open Source Content Management ## Joomla API Probe Results (/api/index.php/v1/*) | Endpoint | HTTP Code | Response | |----------|-----------|----------| | /v1 (root) | 404 | Resource not found | | /v1/content/articles | 401 | Forbidden | | /v1/content/categories | 401 | Forbidden | | /v1/users | 401 | Forbidden | | /v1/menus | 404 | Resource not found | | /v1/extensions | 401 | Forbidden | | /v1/languages | 401 | Forbidden | | /v1/banners | 401 | Forbidden | | /v1/contacts | 401 | Forbidden | | /v1/newsfeeds | 404 | Resource not found | | /v1/tags | 401 | Forbidden | | /v1/modules | 404 | Resource not found | | /v1/plugins | 401 | Forbidden | | /v1/messages | 401 | Forbidden | | /v1/templates/styles/site | 401 | Forbidden | | /v1/fields/content/articles | 401 | Forbidden | | /v1/config/application | 401 | Forbidden | | /v1/config/com_media | 401 | Forbidden | | /v1/privacy/requests | 401 | Forbidden | | /v1/privacy/consents | 401 | Forbidden | | /v1/redirects | 401 | Forbidden | | /v1/finder | 404 | Resource not found | | /v1/menus/site | 401 | Forbidden | **API Assessment:** The Joomla Web Services API is ACTIVE but requires authentication on all endpoints. 401 Forbidden means the API recognizes the endpoint but denies unauthenticated access. 404 means the component/route is not installed or not exposed. ## Non-API Endpoints | Path | HTTP Code | Notes | |------|-----------|-------| | /robots.txt | 200 | Disallows calendar and guestbook | | /administrator/ | 200 | Full login page (14.5KB), French UI | | /configuration.php | 406 | Blocked (Not Acceptable) | | /configuration.php-dist | 406 | Blocked | | /README.txt | 200 | Confirms Joomla 5.3 | | /htaccess.txt | 200 | Default Joomla htaccess template | | /web.config.txt | 200 | IIS config template | | /LICENSE.txt | 200 | GPL v2 | | /media/system/joomla.asset.json | 200 | Asset manifest (Joomla 4.0.0 schema) | | /administrator/manifests/files/joomla.xml | 200 | **Version 5.3.0 (April 2025)** | | /language/en-GB/en-GB.xml | 200 | Language pack metadata | | /sitemap.xml | 404 | Not found | | /.git/HEAD | 404 | No git repo exposed | | /.env | 403 | Forbidden (file may exist) | | /administrator/cache/ | 200 | Empty () | | /tmp/ | 200 | Empty | | /images/ | 200 | Empty (directory listing disabled) | | Registration form | 303 | Redirect (may be disabled) | ## Security Observations 1. **Joomla API active but auth-required** -- all API endpoints return proper JSON:API 401 responses 2. **Hosted on LWS.fr** -- shared hosting, error pages leak hosting provider 3. **.env returns 403** (not 404) -- file likely exists but is protected 4. **configuration.php returns 406** -- WAF/mod_security blocking .php file access 5. **WebAuthn/Passkey support** enabled on admin login (visible in JS config) 6. **CSRF token visible** in admin page source: `3afe1da066bd7c4b10f7fde7c7e7feeb` 7. **Keepalive interval:** 840000ms (14 minutes) -- session timeout info 8. **No sitemap.xml** -- limits content discovery 9. **robots.txt** minimal -- only blocks calendar and guestbook paths 10. **Directory listing disabled** -- /images/, /tmp/, /cache/ all return empty HTML ## Files Saved - api-root.json, articles.json, categories.json, users.json, menus.json - extensions.json, languages.json, banners.json, contacts.json - newsfeeds.json, tags.json, modules.json - plugins.json, messages.json, templates-styles-site.json - fields-content-articles.json, config-application.json, config-com_media.json - privacy-requests.json, privacy-consents.json, redirects.json, finder.json - admin-login.html, registration.html, robots.txt, headers.txt - configuration.php.txt, joomla-manifest.xml, en-GB.xml - joomla-asset.json, README.txt, htaccess.txt, web.config.txt - images-listing.html, UNZ-PROBE-REPORT.md