# CONATEL.GOUV.HT - Vulnerability Assessment Summary
**Date:** 2026-03-04
**Target:** conatel.gouv.ht (Conseil National des Telecommunications - Haiti)
**Type:** Authorized OSINT Security Assessment

---

## SERVER FINGERPRINT

| Property | Value |
|----------|-------|
| **Server** | Apache (version not disclosed in header) |
| **PHP** | 7.0.33 (EOL since Dec 2018) |
| **CMS** | Drupal 7.70 (released May 2020) |
| **Language** | French (fr) |
| **SSL Cert** | GoDaddy, valid Sep 17 2025 - Oct 19 2026 |
| **X-Frame-Options** | SAMEORIGIN |
| **X-Content-Type-Options** | nosniff |
| **CSP** | upgrade-insecure-requests only |
| **HTTP -> HTTPS** | 301 redirect (good) |

---

## CRITICAL FINDINGS

### 1. SEVERELY OUTDATED SOFTWARE (CRITICAL)
- **PHP 7.0.33**: End of Life since **December 3, 2018** (7+ years without security patches)
  - Vulnerable to hundreds of known CVEs
  - No security fixes since PHP 7.0.33 (Jan 2019)
- **Drupal 7.70**: Released May 2020, current is **7.101+** (dozens of security patches missed)
  - Missing SA-CORE-2020-004 through all subsequent advisories
  - Drupal 7 itself reaches EOL January 2025 (already past)

### 2. INFORMATION DISCLOSURE - CHANGELOG.txt (HIGH)
- **URL:** `https://conatel.gouv.ht/CHANGELOG.txt`
- **Status:** 200 OK, 115,535 bytes
- Confirms exact version: **Drupal 7.70**
- Shows full patch history, enables targeted exploit selection
- robots.txt lists `Disallow: /CHANGELOG.txt` but it is NOT enforced by the server

### 3. INFORMATION DISCLOSURE - Multiple Text Files (HIGH)
All default Drupal text files are publicly accessible despite robots.txt disallows:
- `/CHANGELOG.txt` - 200 OK (115KB) - Full version history
- `/INSTALL.txt` - 200 OK (18KB) - Installation instructions
- `/MAINTAINERS.txt` - 200 OK (8KB) - Core maintainer list
- `/UPGRADE.txt` - 200 OK (10KB) - Upgrade instructions
- `/README.txt` - 200 OK (5KB) - Drupal readme
- `/robots.txt` - 200 OK (2KB) - Full site structure map

### 4. XMLRPC.PHP ENABLED (MEDIUM)
- **URL:** `https://conatel.gouv.ht/xmlrpc.php`
- **Status:** 200 OK
- Response: "XML-RPC server accepts POST requests only."
- Potential for brute-force attacks, SSRF, pingback DDoS

### 5. INSTALL.PHP ACCESSIBLE (MEDIUM)
- **URL:** `https://conatel.gouv.ht/install.php`
- **Status:** 200 OK
- Shows "Drupal already installed" page with Seven theme
- Confirms active Drupal installation, should return 403

### 6. CRON.PHP EXISTS (LOW-MEDIUM)
- **URL:** `https://conatel.gouv.ht/cron.php`
- **Status:** 403 (Forbidden - requires cron key)
- Properly protected but confirms path existence

### 7. USER LOGIN PAGE EXPOSED (INFORMATIONAL)
- **URL:** `https://conatel.gouv.ht/user/login` and `/?q=user`
- **Status:** 200 OK
- Standard Drupal login form exposed
- Title: "Login | CONATEL"
- User registration disabled (403 on `/user/register`) - GOOD

---

## MODULES DETECTED

### Core Modules
- aggregator, content, field, node, search, system, user

### Contributed Modules (sites/all/modules/)
- **addthis** - Social sharing
- **addtoany** - Share buttons
- **admin_menu** - Admin toolbar
- **ckeditor** - WYSIWYG editor
- **ctools** - Chaos Tools suite
- **panels** - Page layout manager
- **responsive_dropdown_menus** - Menu system
- **views** - Query builder
- **views_nivo_slider** - Image slider

### Themes
- **conatel** (custom theme)
- **default**

---

## ACCESS CONTROL SUMMARY

| Path | Status | Notes |
|------|--------|-------|
| /CHANGELOG.txt | 200 | EXPOSED - version disclosure |
| /INSTALL.txt | 200 | EXPOSED |
| /UPDATE.txt | 404 | Not found |
| /core/CHANGELOG.txt | 404 | Not D8+ (expected) |
| /MAINTAINERS.txt | 200 | EXPOSED |
| /UPGRADE.txt | 200 | EXPOSED |
| /README.txt | 200 | EXPOSED |
| /admin/ | 403 | Properly restricted |
| /admin/config | 403 | Properly restricted |
| /user/login | 200 | Login form exposed |
| /user/register | 403 | Registration disabled (good) |
| /node | 200 | Content listing (homepage) |
| /sites/default/files/ | 404 | Not browsable (good) |
| /misc/drupal.js | 200 | JS accessible |
| /profiles/ | 404 | Not browsable (good) |
| /?q=user | 200 | Alternative login works |
| /cron.php | 403 | Protected (needs key) |
| /install.php | 200 | ACCESSIBLE - should be blocked |
| /xmlrpc.php | 200 | ENABLED - attack surface |
| /robots.txt | 200 | Full structure map |
| /sitemap.xml | 200 | Full URL listing |
| /rss.xml | 200 | RSS feed active |

---

## RISK RATING: HIGH

**Primary Concerns:**
1. PHP 7.0.33 is 7+ years past EOL with hundreds of unpatched CVEs
2. Drupal 7.70 is missing 30+ security advisories
3. Drupal 7 itself reached EOL in January 2025
4. Full version fingerprinting possible via CHANGELOG.txt
5. xmlrpc.php and install.php should be blocked
6. No WAF detected in front of the application

**Recommended Actions:**
1. URGENT: Upgrade PHP to 8.2+ minimum
2. URGENT: Update Drupal to latest 7.x OR migrate to Drupal 10/11
3. Block access to *.txt files at web server level
4. Disable xmlrpc.php
5. Block install.php
6. Implement a WAF (Cloudflare, etc.)
7. Add security headers (HSTS, CSP with directives)

---

## FILES SAVED
- CHANGELOG.txt, INSTALL.txt, MAINTAINERS.txt, UPGRADE.txt, README.txt
- robots.txt, sitemap.xml, rss.xml
- drupal.js, user-login.html, install.php.html, xmlrpc.php.html
- admin_.html, admin_config.html, cron.php.html, node.html