# DOUANE.GOUV.HT - Vulnerability Assessment Summary **Date:** 2026-03-04 **Target:** www.douane.gouv.ht (Administration Generale des Douanes - Haiti) **Type:** Authorized OSINT Security Assessment --- ## SERVER FINGERPRINT | Property | Value | |----------|-------| | **Server** | Apache/2.4.62 (Win64) OpenSSL/3.1.7 PHP/8.3.14 mod_fcgid/2.3.10-dev | | **OS** | Windows (Win64) | | **PHP** | 8.3.14 | | **CMS** | WordPress 6.9.1 | | **Theme** | Tecnologia (by Vamtam) | | **Security Plugin** | Wordfence (API endpoints exposed) | | **Page Builder** | Elementor + Elementor Pro | | **Server Path** | `/home/douanego/public_html/newsite.douane.gouv.ht/` | | **Timezone** | Europe/Paris (GMT+1) | | **Site Title** | AGD | --- ## CRITICAL FINDINGS ### 1. DIRECTORY LISTING ENABLED - FULL FILE TREE (CRITICAL) Apache directory listing (Options +Indexes) is enabled across the entire WordPress installation: **Open directories discovered:** - `/wp-content/uploads/` - Full uploads tree with year/month folders (2013-2026) - `/wp-content/uploads/2026/02/` - Recent uploaded documents and images - `/wp-content/uploads/2026/01/` - January uploads browsable - `/wp-content/uploads/elementor/` - Elementor assets - `/wp-content/uploads/embedpress/` - EmbedPress data - `/wp-content/uploads/wp-file-manager-pro/` - File manager upload directory (empty) - `/wp-content/uploads/wpforms/` - WPForms data (last modified today 2026-03-04) - `/wp-content/uploads/wpr-addons/` - Royal Elementor data - `/wp-content/uploads/premium-addons-elementor/` - Premium Addons data - `/wp-content/uploads/sb-instagram-feed-images/` - Instagram feed cache - `/wp-content/uploads/maxmegamenu/` - Mega menu assets - `/wp-includes/` - **ENTIRE wp-includes source tree** (63KB index listing) ### 2. DEBUG LOG PUBLICLY ACCESSIBLE (CRITICAL) - **URL:** `https://www.douane.gouv.ht/wp-content/debug.log` - **Status:** 200 OK, 1,188 bytes - **Leaked Information:** - **Full server path:** `/home/douanego/public_html/newsite.douane.gouv.ht/` - PHP Fatal error: memory exhaustion in `royal-elementor-addons/modules/twitter-feed/widgets/wpr-twitter-feed.php` line 854 - PHP Warnings: header modification issues in `wp-includes/pluggable.php` line 1435, 1438 - Reveals active plugin paths and internal errors - Date: June 24, 2025 ### 3. SERVER PATH DISCLOSURE (HIGH) The debug.log reveals the full filesystem path: ``` /home/douanego/public_html/newsite.douane.gouv.ht/ ``` This confirms: - Linux-style path despite "Win64" in Apache Server header (likely XAMPP/WAMP or cPanel-style setup) - Username: `douanego` - The current site is in a `newsite.douane.gouv.ht` subdirectory ### 4. VERBOSE SERVER HEADER (HIGH) The Apache Server header leaks the complete tech stack: ``` Apache/2.4.62 (Win64) OpenSSL/3.1.7 PHP/8.3.14 mod_fcgid/2.3.10-dev ``` - Exact Apache version - Exact OpenSSL version - Exact PHP version - mod_fcgid with "dev" build identifier ### 5. WP-FILE-MANAGER-PRO PLUGIN INSTALLED (HIGH) - Upload directory exists at `/wp-content/uploads/wp-file-manager-pro/` - WP File Manager Pro has a history of critical RCE vulnerabilities: - CVE-2020-25213: Unauthenticated arbitrary file upload (CVSS 10.0) - Multiple subsequent bypasses - Directory is currently empty but plugin presence is confirmed ### 6. WORDFENCE API ENDPOINTS EXPOSED (MEDIUM) - **URL:** `https://www.douane.gouv.ht/wp-json/wordfence/v1/` - Exposed endpoints: - `/wordfence/v1/authenticate` (GET, POST) - `/wordfence/v1/authenticate-premium` (POST) - `/wordfence/v1/config` (GET, POST, PUT, PATCH) - `/wordfence/v1/disconnect` (POST, PUT, PATCH) - `/wordfence/v1/premium-connect` (POST, PUT, PATCH) - `/wordfence/v1/scan/issues` (GET) - could leak scan findings - `/wordfence/v1/scan` (POST, DELETE) - `/wordfence/v1/scan/issue` (POST, PUT, PATCH) - These require authentication but reveal Wordfence is installed and its API structure ### 7. WP-JSON API FULLY ACCESSIBLE (MEDIUM) - **URL:** `https://www.douane.gouv.ht/wp-json/` - Full namespace listing exposed including: - `elementor/v1`, `elementor-pro/v1` - `wordfence/v1` - `wpraddons/v1` - `wpforms/v1` - `wp/v2` (core REST API) - User listing blocked (401) - GOOD - Page content accessible via `/wp-json/wp/v2/pages` - Post content accessible with author IDs (author ID 4 identified) ### 8. WP-LOGIN.PHP ACCESSIBLE (LOW) - **URL:** `https://www.douane.gouv.ht/wp-login.php` - **Status:** 200 OK, 7,410 bytes - Standard WordPress login form exposed - No additional protection (captcha, rate limiting visible) --- ## PLUGINS DETECTED | Plugin | Notes | |--------|-------| | **elementor** | Page builder (core) | | **elementor-pro** | Page builder (premium) | | **embed-any-document** | Document embedder | | **embedpress** | Media embedder | | **essential-addons-for-elementor-lite** | Elementor addon pack | | **premium-addons-for-elementor** | Elementor addon pack | | **royal-elementor-addons** | Elementor addon (twitter feed crashed) | | **vamtam-elementor-integration-tecnologia** | Theme integration | | **wpdatatables** | Data tables plugin | | **wp-file-manager-pro** | File manager (HIGH RISK) | | **wpcode** | Code snippets manager | | **wpforms** | Form builder (active today) | | **wpr-addons** | Royal addons | | **wordfence** | Security plugin (API exposed) | ### Theme - **tecnologia** by Vamtam (premium WordPress theme) --- ## ACCESS CONTROL SUMMARY | Path | Status | Notes | |------|--------|-------| | /web.config | 404 | Not found | | /iisstart.htm | 404 | Not IIS | | /aspnet_client/ | 404 | Not ASP.NET | | /server-status | 404 | Disabled (good) | | /server-info | 404 | Disabled (good) | | /.env | 404 | Not exposed (good) | | /wp-config.php.bak | 404 | Not found (good) | | /wp-config.php~ | 404 | Not found (good) | | /wp-config.php.old | 404 | Not found (good) | | /wp-content/ | 200 | Empty response but accessible | | /wp-content/uploads/ | **200** | **DIRECTORY LISTING - browsable** | | /wp-content/debug.log | **200** | **EXPOSED - server path leak** | | /readme.html | **200** | WP version disclosed | | /license.txt | 200 | GPL license text | | /wp-includes/ | **200** | **DIRECTORY LISTING - full source tree** | | /phpinfo.php | 404 | Not found (good) | | /info.php | 404 | Not found (good) | | /test.php | 404 | Not found (good) | | /sydonia/ | 404 | SYDONIA not on this host | | /wp-login.php | **200** | Login page exposed | | /wp-json/ | **200** | Full API namespace listing | | /wp-json/wordfence/v1/ | **200** | Wordfence API structure | | /wp-json/wp/v2/users | 401 | Users blocked (good) | | /wp-json/wp/v2/pages | **200** | Page content accessible | | /wp-json/wp/v2/posts | **200** | Posts with author IDs | | /robots.txt | 200 | Minimal robots.txt | | /wp-sitemap.xml | 200 | Full sitemap index | | /feed/ | 200 | RSS feed (reveals WP 6.9.1) | | /?author=N | 404 | Author enum blocked (good) | --- ## RISK RATING: HIGH **Primary Concerns:** 1. Directory listing enabled across entire WordPress installation - exposes file structure, upload contents, and internal paths 2. debug.log publicly accessible with full server path and error details 3. wp-file-manager-pro plugin installed (history of CVSS 10.0 RCE vulns) 4. Verbose server headers leak complete technology stack 5. Server path disclosure reveals username and directory structure 6. 14+ plugins installed increases attack surface significantly 7. WP REST API exposes content and plugin enumeration 8. WordPress on Windows is an unusual and less-hardened configuration **Positive Security Controls:** - Wordfence installed (WAF/scanner) - User enumeration blocked (both REST API and /?author=N) - User registration not exposed - .env, wp-config backups, phpinfo.php all properly absent - Apache mod_status and mod_info disabled - PHP version is current (8.3.14) - WordPress version is current (6.9.1) **Recommended Actions:** 1. URGENT: Disable directory listing (`Options -Indexes` in httpd.conf or .htaccess) 2. URGENT: Delete or restrict access to `/wp-content/debug.log` 3. URGENT: Audit wp-file-manager-pro for known vulnerabilities or remove it 4. Remove verbose Server header (`ServerTokens Prod`) 5. Disable `WP_DEBUG_LOG` in wp-config.php or log to non-web-accessible path 6. Block direct access to `/wp-includes/` directory listing 7. Restrict wp-json API to authenticated users where possible 8. Remove `/readme.html` and `/license.txt` 9. Add security headers (HSTS, X-Frame-Options, CSP) 10. Audit all 14+ plugins for known CVEs --- ## FILES SAVED - debug.log (server path disclosure, PHP errors) - readme.html (WordPress version) - license.txt - robots.txt, wp-sitemap.xml - wp-content-uploads-index.html (directory listing) - wp-includes-index.html (directory listing) - wordfence-api.json (API endpoint listing) - wp-login.html (login form) - uploads-2026-index.html, uploads-2026-03-index.html