# FAES & CIVITAX High-Value Target Probe Report **Date:** 2026-03-04 **Targets:** faes.gouv.ht, civitax.gouv.ht **Method:** Passive OSINT, unauthenticated HTTP GET requests only --- ## 1. FAES (faes.gouv.ht) -- WordPress Duplicator Plugin ### Infrastructure - **Server:** Apache (behind nginx/1.25.5 reverse proxy) - **Hosting:** Bluehost shared hosting (header: `host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==` = base64 "shared.bluehost.com") - **CMS:** WordPress with extensive plugin ecosystem - **CDN:** Jetpack / wp.com integration ### Duplicator Plugin API (CONFIRMED PRESENT) #### `/wp-json/duplicator/v1/` -- HTTP 200 (OPEN) The Duplicator REST namespace is registered and responding. Two routes exposed: ```json { "namespace": "duplicator/v1", "routes": { "/duplicator/v1": { "methods": ["GET"] }, "/duplicator/v1/versions": { "methods": ["GET"] } } } ``` #### `/wp-json/duplicator/v1/versions` -- HTTP 200 (AUTH REQUIRED) Returns `rest_forbidden` error: ```json {"code":"rest_forbidden","message":"You cannot execute this action.","data":null} ``` The endpoint exists but requires authentication. This suggests the Duplicator plugin has version info it would expose to authenticated users. #### `/wp-json/duplicator/v1/packages` -- HTTP 404 Route not registered in this version (no packages endpoint). #### `/wp-json/duplicator/v1/packages/active-list` -- HTTP 404 Route not registered in this version. ### Backup Directory Probes | Path | Status | Notes | |------|--------|-------| | `/wp-content/backups-dup-lite/` | 404 | WP 404 page (directory may not exist or is protected) | | `/wp-content/backups-dup-pro/` | **403 Forbidden** | **Directory EXISTS but access denied** -- Apache returns 403 | | `/wp-snapshots/` | 404 | Old-style snapshot dir not present | **FINDING:** The `backups-dup-pro/` directory returns 403, confirming the **Duplicator Pro** plugin is or was installed and has created backups. The directory exists on disk but directory listing/access is blocked. Individual backup files may still be accessible if filenames can be guessed (Duplicator uses predictable naming: `___archive.zip`). ### WordPress REST API Namespace Enumeration Full `/wp-json/` returned 404KB of data. **25 namespaces** registered: | Namespace | Description | Risk Level | |-----------|-------------|------------| | `duplicator/v1` | Duplicator backup plugin API | HIGH | | `wp/v2` | Core WordPress API | MEDIUM | | `jetpack/v4` | Jetpack plugin (backup, stats) | HIGH | | `elementor/v1` | Elementor page builder | LOW | | `elementor-pro/v1` | Elementor Pro | LOW | | `elementor-one/v1` | Elementor One | LOW | | `image-optimizer/v1` | Image optimizer | LOW | | `forminator/v1` | Forminator forms plugin | MEDIUM | | `mc4wp/v1` | MailChimp for WP | LOW | | `happy/v1` | Happy Addons | LOW | | `hub-connector/v1` | WPMU DEV Hub | MEDIUM | | `wpmudev_pcs/v1` | WPMU DEV Performance | LOW | | `jetpack-boost/v1` | Jetpack Boost | LOW | | `my-jetpack/v1` | My Jetpack | LOW | | `jetpack/v4/stats-app` | Jetpack Stats | LOW | | `jetpack/v4/import` | Jetpack Import | MEDIUM | | `jetpack/v4/explat` | Jetpack Experiments | LOW | | `jetpack/v4/blaze-app` | Jetpack Blaze | LOW | | `jetpack/v4/blaze` | Jetpack Blaze | LOW | | `wpcom/v2` | WordPress.com API v2 | MEDIUM | | `wpcom/v3` | WordPress.com API v3 | MEDIUM | | `oembed/1.0` | oEmbed | LOW | | `wp-site-health/v1` | Site Health | MEDIUM | | `wp-block-editor/v1` | Block Editor | LOW | | `wp-abilities/v1` | WP Abilities | LOW | ### WordPress User Enumeration (OPEN) `/wp-json/wp/v2/users` returned user data without authentication: | ID | Username | Slug | URL | |----|----------|------|-----| | 1 | admin | admin | https://faes.gouv.ht | - **Author page:** https://faes.gouv.ht/author/admin/ - **Gravatar hash:** `7792ae8164bc2b2e1bb99f1e189ba54928cee4392a7590627377a2ba82c34517` - Only one user enumerated (default admin, ID 1) ### Jetpack API Highlights The Jetpack namespace exposes several sensitive-sounding routes: - `/jetpack/v4/backup-helper-script` (POST/DELETE) -- backup helper script management - `/jetpack/v4/database-object/backup` (GET) -- database object backup retrieval - All require Jetpack authentication tokens. --- ## 2. CIVITAX (civitax.gouv.ht) -- Municipal Tax System ### Infrastructure - **Server:** Microsoft-IIS/10.0 - **Framework:** ASP.NET 4.0.30319 - **UI Framework:** Telerik Web UI 2013.3.1015.40 (CRITICALLY OUTDATED) - **Ajax Toolkit:** AjaxControlToolkit 4.1.51116.0 - **Frontend:** Bootstrap, jQuery 1.8.2 / 1.4.2, Material Dashboard v3.2.0 - **Root redirect:** `/` -> `/PLayer/Home/Login.aspx` - **Directory listing:** ENABLED on IIS for all /PLayer/ subdirectories ### MapWebService.asmx -- SOAP Web Service (OPEN, NO AUTH) #### WSDL Definition -- HTTP 200 (79,158 bytes) Full WSDL retrieved and saved to `CIVITAX-GOUV/MapWebService.wsdl`. **22 SOAP operations exposed** via SOAP, HTTP GET, and HTTP POST bindings: | Operation | Parameters | Auth | Notes | |-----------|-----------|------|-------| | `HelloWorld` | none | OPEN | Returns "Hello World" -- confirms service is live | | `GetDataStatVisite` | none | OPEN | Error: SP_GetDataStatVisite doesn't exist (stored proc missing) | | `GetRubrique` | none | OPEN | Returns empty string (proc may exist but no data) | | `GetCommuneBySinistre` | refSinistre (long) | OPEN | Error: SP_GetCommuneBySinistre doesn't exist | | `GetEntiteDetruite` | refSinistre (long) | OPEN | Error: SP_EntiteDetruite doesn't exist | | `ZoomMapDesastre` | refSinistre (long) | OPEN | Error: SP_ZoomMapDesastre doesn't exist | | `GetEvalInstitutions` | refSinistre, dateDebut, dateFin, status, siInnonde, siEndommage, siPosteDist | OPEN | Disaster evaluation for institutions | | `GetEvalPVVIH` | refSinistre, site, dateDebut, dateFin, status, impdespat, impsante, imppertvue, evalbesoin | OPEN | HIV/AIDS impact evaluation data | | `GetTaches` | refSinistre, categorie, dateDebut, dateFin, status | OPEN | Task management | | `GetMessages` | refSinistre, categorie, dateDebut, dateFin | OPEN | Message retrieval | | `GetCategorieMessages` | refSinistre, dateDebut, dateFin | OPEN | Message categories | | `GetOrganisationDesastre` | refSinistre, bloc, NbrePieces, Occupant, chkEntreprise, chkCFPBPay | OPEN | Disaster org data with property/occupant info | | `GetDataMapVisite` | refVisite (long) | OPEN | Map visit data | | `GetPhotoMapVisite` | refVisite (long) | OPEN | Visit photos | | `GetImpactBySection` | refSinistre, refCommune, refRubrique | OPEN | Impact by geographic section | | `GetMoreImpactEauBySection` | refSinistre, refSection | OPEN | Water impact data | | `GetMoreImpactAssainissement` | refSinistre, refSection | OPEN | Sanitation impact data | | `GetMoreImpactAgricultureBySection` | refSinistre, refSection | OPEN | Agriculture impact data | | `GetDataEvalPostDesastrebySection` | refSinistre, refQuestion, refRubrique | OPEN | Post-disaster evaluation | | `DGRAPHE_CountAllEvaluationSanitaireByCommuneAndDesastre` | refSinistre | OPEN | Health evaluation count by commune | | `GanttTachesByDesastre` | refSinistre, categorie, dateDebut, dateFin, status | OPEN | Gantt chart task data | | `GetIntersectCommunes` | (from WSDL) | OPEN | Geographic commune intersection data | **CRITICAL: All methods are callable via HTTP GET without any authentication.** The stored procedures for several methods are missing from the database, suggesting a partially configured or migrated system. However, the service is live and would return real data if the SPs existed. ### Telerik UI -- CRITICAL VULNERABILITIES **Version identified: Telerik Web UI 2013.3.1015.40** (released ~October 2013, over 12 years old) | Endpoint | Status | Finding | |----------|--------|---------| | `Telerik.Web.UI.DialogHandler.aspx` | **200 OK** | Dialog handler active, returns functional page | | `Telerik.Web.UI.SpellCheckHandler.axd` | 500 | Handler registered but errors (expected without params) | | `Telerik.Web.UI.WebResource.axd?type=rau` | **200 OK** | **RadAsyncUpload handler registered and active** | RadAsyncUpload handler response: ```json { "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." } ``` **This version is vulnerable to:** - **CVE-2017-11317** -- Telerik UI for ASP.NET AJAX insecure direct object reference in RadAsyncUpload (arbitrary file upload) - **CVE-2019-18935** -- Telerik UI deserialization of untrusted data in RadAsyncUpload (remote code execution) - **CVE-2017-9248** -- Telerik.Web.UI.DialogHandler.aspx cryptographic weakness (encryption key disclosure -> file upload/RCE) ### downloadfile.ashx Handler | Request | Status | Response | |---------|--------|----------| | `?file=test` | 200 | "Hello World" (11 bytes) | | `?file=` (empty) | 200 | "Hello World" | | `?file=../web.config` | 200 | "Hello World" | | No parameter | 200 | "Hello World" | The handler always returns "Hello World" regardless of input. This appears to be a stub or placeholder -- the actual file download logic may be disabled or not implemented. The handler exists but is not functional for file retrieval. ### Reports & Statistics Pages (NO AUTH REQUIRED) #### `wfrm_reports.aspx` -- HTTP 200 (26,256 bytes) Full application page rendered without authentication. Exposes: - **JavaScript error in page:** `alert("Object reference not set to an instance of an object.")` -- null reference exception displayed client-side - Navigation links to: RECENSEMENT, CARTOGRAPHIE, BUDGETS IMPRIMES - Municipality selector (RadComboBox) - Search field: "Entrer le numero de l'immeuble" - Administration link visible: `../Administration/Securite/UserConnected.aspx` - **Mobile APK download link:** `http://civitax.gouv.ht/android/civitax.apk` (404 -- removed/moved) - Sidebar navigation revealing full application structure #### `wfrm_statistiques.aspx` -- HTTP 200 (26,024 bytes) Same full application chrome rendered. Identical structure to reports page with the same null reference error. ### web.config Probes | Path | Status | Notes | |------|--------|-------| | `/web.config` | 404 | Not found (may not be at root or IIS blocking) | | `/PLayer/Web.config` | 404 | Not found | IIS correctly blocks direct web.config access. ### Administration Directory (DIRECTORY LISTING ENABLED) #### `/PLayer/Administration/Securite/` -- HTTP 200 (OPEN LISTING) ``` Edit_User.aspx (19,744 bytes, 2026-02-19) EditAssign.aspx (6,324 bytes, 2026-02-19) UserConnected.aspx (6,889 bytes, 2026-02-19) wbfrm_ChangePassword.aspx (2,452 bytes, 2026-02-19) wbfrm_ChangePasswordMust.aspx(5,434 bytes, 2026-02-19) wbfrm_GroupRights.aspx (5,170 bytes, 2026-02-19) wbfrm_Groups.aspx (10,469 bytes, 2026-02-19) wbfrm_Objects.aspx (6,417 bytes, 2026-02-19) wbfrm_RightObjects.aspx (10,429 bytes, 2026-02-19) wbfrm_Rights.aspx (13,479 bytes, 2026-02-19) wbfrm_Users.aspx (9,177 bytes, 2026-02-19) ``` Admin pages redirect to `/Index.aspx` (login) when accessed directly -- session auth is enforced for admin functions. #### `/PLayer/Administration/Geographie/` -- HTTP 200 (OPEN LISTING) Geographic admin pages for managing municipalities, districts, zones, blocks, quarters, streets: ``` wfrm_AddEditBloc.aspx, wfrm_AddEditDistrict.aspx, wfrm_AddEditMunicipalite.aspx wfrm_AddEditQuartier.aspx, wfrm_AddEditRue.aspx, wfrm_AddEditZone.aspx wfrm_DistrictPersonne.aspx wfrm_ListeBlocs.aspx, wfrm_ListeDistricts.aspx, wfrm_ListeMunicipalites.aspx wfrm_ListeQuartier.aspx, wfrm_ListeRues.aspx, wfrm_ListeZones.aspx ``` ### Full Application Directory Map The entire `/PLayer/` directory tree is browsable with IIS directory listing enabled: ``` /PLayer/ Administration/ Geographie/ -- 13 .aspx files (geographic entity CRUD) Securite/ -- 11 .aspx files (user/group/rights management) Administration.aspx Bordereau/ -- 13 files (tax slips, invoices, payments) Bordereau.rar -- 9,547 bytes (DOWNLOADABLE ARCHIVE) DeclarationPatente.aspx, DetailFacture.aspx, GenererBordereau.aspx ListFacturation.aspx, PaiementBordereau.aspx, RechercheBordereau.aspx notifer_avis_cotisation.aspx, notifier_Impression.aspx, notifier_paiement.aspx wfrm_FactureImmeuble.aspx Budget/ -- 27 files (municipal budget management) Budget.aspx (209KB), wbfrm_BudgetElaboration_tv.aspx (104KB) wbfrm_Dashboard.aspx, wbfrm_Depense.aspx, wbfrm_DepenseACompleter.aspx wbfrm_DepenseCSCCA.aspx, wbfrm_DepenseMICT.aspx, wbfrm_DepenseSoumission.aspx wbfrm_ExecutionBudget.aspx (127KB), wbfrm_Liquidation.aspx wbfrm_SuiviExecutionBudget.aspx (80KB) Exercice/ -- 12 files (budget exercise/fiscal year params) common/ Data/ -- ImporterDonneesDGI.ascx, PaiementOrphelins.ascx ActiviteImmeuble.ascx, DeclarationImmeuble.ascx, descriptionImmeuble.ascx EditQuestionnaire.ascx, ValeurLocativeImmeuble.ascx Contribuable/ -- ValiderDemandeModificationDossierImmeuble.aspx, wbfrm_GestionDesContestation.aspx Home/ -- Login.aspx Immeuble/ -- 7 files (property management) FicheGrandImmeubles.aspx (229KB), FicheImmeubles.aspx (193KB) PhotoImmeuble.aspx, RechercheImmeuble.aspx, wbfrm_ShowPhotos.aspx Importation/ -- ImportationALI.aspx, wbfrm_ImporterDonneesDGI.aspx Parametres/ CFPB/ -- 12 files (tax parameter configuration, CFPB/PATENTE rates) Patente/ -- LiquiderPatente.aspx Planification/ -- 3 files (planning tools) rapports/ -- 8 files (reports, mapping, statistics) downloadfile.ashx, wfrm_mapping.aspx, wfrm_reports.aspx, wfrm_statistiques.aspx markerclusterer/ -- Google Maps marker clustering assets Recensement/ -- 6 files (census/property survey) Recensement.rar -- 7,815 bytes (DOWNLOADABLE ARCHIVE) QuestionnaireEnCours.aspx, questionnaireaverifier.aspx immeublenonencorepaye.aspx, ImmeubleSansDeclaration.aspx ImmeubleSansValeurLocative.aspx, immeublesavecPatente.aspx ``` ### Downloadable Archives (NO AUTH) | File | Size | Downloaded | |------|------|-----------| | `/PLayer/Recensement.rar` | 7,815 bytes | YES -- saved to CIVITAX-GOUV/ | | `/PLayer/Bordereau/Bordereau.rar` | 9,547 bytes | YES -- saved to CIVITAX-GOUV/ | These archives are publicly downloadable without any authentication. ### Login Page Analysis `/PLayer/Home/Login.aspx` exposes: - French-language login ("Connexion au systeme") - Fields: "Nom d'Utilisateur" (username), "Mot de Passe" (password) - Logo image: `/images/logo_civitas.png` - Uses Telerik RadScriptManager, RadAjaxManager - No CAPTCHA, no rate limiting visible - No 2FA mentioned ### Static Asset Directories (OPEN) | Directory | Status | Content | |-----------|--------|---------| | `/js/` | 200 | JavaScript files (2,508 bytes listing) | | `/css/` | 200 | Stylesheets (2,014 bytes listing) | | `/images/` | 200 | Images (14,324 bytes listing) | | `/Styles/` | 200 | Style themes (1,127 bytes listing) | | `/plugins/` | 200 | Third-party plugins (7,555 bytes listing) | | `/assets/` | 200 | Material Dashboard assets (730 bytes listing) | | `/android/` | 404 | Mobile APK directory removed | ### Application Context (from Page Source) CIVITAX is a **municipal property tax system** for Haiti with these modules: - **RECENSEMENT** -- Property census/survey ("Questionnaire" workflow) - **CARTOGRAPHIE** -- GIS mapping integration - **BORDEREAU** -- Tax slip generation and payment - **BUDGET** -- Municipal budget elaboration, execution, and tracking (references CSCCA and MICT) - **IMMEUBLE** -- Property records with photos - **CONTRIBUABLE** -- Taxpayer records and complaints - **PATENTE** -- Business license tax - **PLANIFICATION** -- Planning tools - **PARAMETRES** -- Tax rate configuration (CFPB = property tax, PATENTE = business license) - **IMPORTATION** -- DGI data import (Direction Generale des Impots) --- ## Summary of Critical Findings ### FAES 1. **Duplicator Pro backup directory confirmed** (`/wp-content/backups-dup-pro/` returns 403) -- backups exist but are directory-listing blocked 2. **Duplicator API namespace active** with `/versions` endpoint (auth-gated) 3. **WordPress user enumeration open** -- admin user confirmed (ID 1, slug "admin") 4. **Hosted on shared Bluehost** -- shared infrastructure risk 5. **Gravatar hash exposed** for admin user -- potential email reverse lookup ### CIVITAX 1. **SOAP web service completely unauthenticated** -- 22 operations callable via HTTP GET, designed to return disaster assessment data, property data, health evaluation data (though many stored procedures currently missing from DB) 2. **Telerik Web UI 2013.3.1015.40** -- 12+ years old, vulnerable to CVE-2017-11317, CVE-2019-18935, CVE-2017-9248 (remote code execution via RadAsyncUpload deserialization + DialogHandler crypto weakness) 3. **RadAsyncUpload handler active** -- confirmed with "registered successfully" message 4. **DialogHandler active** -- renders functional page 5. **IIS directory listing enabled** across entire `/PLayer/` tree -- full application structure exposed 6. **Two .rar archives publicly downloadable** without authentication (Recensement.rar, Bordereau.rar) 7. **Application pages render without auth** (reports, statistics) -- expose internal navigation, ASP.NET ViewState, and JavaScript errors revealing server-side exceptions 8. **No security headers** -- no CSP, no X-Frame-Options, no HSTS 9. **Mixed HTTP/HTTPS** -- page loads jQuery from plain HTTP Google CDN 10. **Mobile APK link present** but file removed (was at `/android/civitax.apk`) 11. **Admin pages properly redirect to login** -- session auth works for admin functions but not for public-facing pages ### Files Saved to CIVITAX-GOUV/ - `MapWebService.wsdl` (79,158 bytes) -- full SOAP service definition - `Recensement.rar` (7,815 bytes) -- census archive - `Bordereau.rar` (9,547 bytes) -- tax slip archive