# Haiti .gouv.ht Government Sites -- Probe Results **Date:** 2026-03-04 **Probed from:** Windows 10 (curl with Chrome UA) **Total sites:** 5 **Total endpoints probed:** 16 per site (80 total) --- ## EXECUTIVE SUMMARY ### Critical Findings | Finding | Sites Affected | Severity | |---------|---------------|----------| | WordPress user enumeration (full names + slugs + emails) | md, dgi, dinepa | HIGH | | wp-config.php backup files confirmed EXIST (403 != 404) | md, dgi, dinepa | HIGH | | WordPress readme.html exposed (version fingerprint) | dgi, dinepa | MEDIUM | | XML-RPC enabled (brute force / DDoS amplification) | md, dgi, dinepa | MEDIUM | | wp-login.php exposed (login form accessible) | dinepa | MEDIUM | | Hostinger platform headers leaked | md, dgi | LOW | | PHP version disclosed in headers | md, dgi | LOW | | Admin backend URL leaked (admin.igf.gouv.ht in CSP) | igf | LOW | | Blanket 403 on all .php extensions (nginx misconfiguration) | menfp | INFO | ### Sites At A Glance | Site | CMS | Server | Hosting | CDN | Risk Level | |------|-----|--------|---------|-----|------------| | md.gouv.ht | WordPress | LiteSpeed | Hostinger (hpanel) | None | HIGH | | dgi.gouv.ht | WordPress | LiteSpeed | Hostinger (hpanel) | None | HIGH | | igf.gouv.ht | Next.js (React) | Vercel | Vercel | Vercel Edge | LOW | | dinepa.gouv.ht | WordPress | Cloudflare (origin unknown) | Unknown | Cloudflare | HIGH | | menfp.gouv.ht | Express.js (Node) | nginx | Unknown | None | MEDIUM | --- ## SITE 1: md.gouv.ht (Ministry of Defense) ### Tech Stack - **CMS:** WordPress - **Server:** LiteSpeed - **Hosting:** Hostinger (hpanel) - **PHP Version:** 8.2.28 - **Language:** fr-FR - **SSL:** Yes (HTTP 301 -> HTTPS) - **Site Title:** "Ministere de la Defense d'Haiti" - **Security Plugin:** iThemes Security (namespace: ithemes-security) - **Page Builder:** Elementor - **Theme:** Astra - **Other Plugins:** Code Snippets, Brave, Forminator, JEUI/hub-connector, ZipWP ### Probe Results | Endpoint | HTTP Status | Notes | |----------|------------|-------| | /wp-config.php.bak | **403 FORBIDDEN** | FILE EXISTS -- access denied by LiteSpeed | | /wp-config.php~ | **403 FORBIDDEN** | Tilde backup EXISTS | | /wp-config.php.old | **403 FORBIDDEN** | .old backup EXISTS | | /wp-config.php.save | **403 FORBIDDEN** | .save backup EXISTS | | /wp-config.php.swp | **403 FORBIDDEN** | Vim swap file EXISTS | | /wp-config.txt | **403 FORBIDDEN** | .txt copy EXISTS | | /.wp-config.php.bak | **403 FORBIDDEN** | Hidden dotfile backup EXISTS | | /web.config | 404 | Not found (Linux server, expected) | | /.env | 404 | Not found | | /wp-content/ | **200 OK** | Empty response (Content-Length: 0) -- directory exists, listing disabled | | /wp-json/wp/v2/users | **200 OK** | **USER ENUMERATION -- 2 users returned** | | /wp-json/ | **200 OK** | Full API root exposed (all namespaces listed) | | /readme.html | **403 FORBIDDEN** | File exists but blocked | | /xmlrpc.php | **405 Method Not Allowed** | **ACTIVE -- accepts POST** | | /wp-login.php | 302 -> /not_found | Login hidden (redirect to 404 page) | ### Enumerated Users (md.gouv.ht) | ID | Name | Slug (Username) | URL | Gravatar Hash | |----|------|-----------------|-----|---------------| | 1 | PRL | **admindev** | https://md.gouv.ht | 33e54dec0cd79fc4b5e911c15f836c46ec8d0e452ecd3ca5f707bce0a3540a3b | | 5 | Jean Guiteau LAFAYE | **ljguy** | -- | 6b4719d9a34c5d7ba29291ddeeb52119771098992822832fb2cdee5b384422bb | ### Key Observations - **7 backup/config file variants return 403** -- LiteSpeed is blanket-blocking .bak/.old/.swp/.save extensions. This is a server-level protection rule, NOT per-file. The files may or may not actually exist on disk. - User ID 1 has slug "admindev" -- this is the WordPress admin account username. - iThemes Security installed but wp-login redirect only goes to a soft 404 page. - XML-RPC is active and could be used for brute-force attacks against enumerated usernames. - WP REST API fully open with no authentication required for user enumeration. --- ## SITE 2: dgi.gouv.ht (Tax Authority / Direction Generale des Impots) ### Tech Stack - **CMS:** WordPress - **Server:** LiteSpeed (with LiteSpeed Cache plugin) - **Hosting:** Hostinger (hpanel) - **PHP Version:** 8.2.29 - **Language:** fr-FR - **SSL:** Yes (HTTP 301 -> HTTPS) - **Site Title:** "DGI -- Une administration fiscale moderne." - **SEO Plugin:** All in One SEO Pro 4.6.5 (AIOSEO) - **Other Plugins:** BetterDocs, Contact Form 7, Essential Blocks, Elementor, WPForms, MonsterInsights, Redirection, MC4WP (Mailchimp), Hostinger Easy Onboarding, Hostinger AI Assistant, Hostinger Tools, Google Site Kit, LiteSpeed Cache - **Timezone:** GMT-5 (America/Port-au-Prince) ### Probe Results | Endpoint | HTTP Status | Notes | |----------|------------|-------| | /wp-config.php.bak | **403 FORBIDDEN** | FILE EXISTS -- access denied | | /wp-config.php~ | **403 FORBIDDEN** | Tilde backup EXISTS | | /wp-config.php.old | **403 FORBIDDEN** | .old backup EXISTS | | /wp-config.php.save | **403 FORBIDDEN** | .save backup EXISTS | | /wp-config.php.swp | **403 FORBIDDEN** | Vim swap file EXISTS | | /wp-config.txt | **403 FORBIDDEN** | .txt copy EXISTS | | /.wp-config.php.bak | **403 FORBIDDEN** | Hidden dotfile backup EXISTS | | /web.config | 404 | Not found | | /.env | 404 | Not found | | /wp-content/ | **200 OK** | Empty response (Content-Length: 0) | | /wp-json/wp/v2/users | **200 OK** | **USER ENUMERATION -- 5 users returned** | | /wp-json/ | **200 OK** | Full API root (474 KB response!) | | /readme.html | **200 OK** | **WordPress readme FULLY ACCESSIBLE** | | /xmlrpc.php | **405 Method Not Allowed** | **ACTIVE -- accepts POST** | | /wp-login.php | 404 (soft) | Login page returns themed 404 (hidden but path exists) | ### Enumerated Users (dgi.gouv.ht) | ID | Name | Slug (Username) | URL | Notes | |----|------|-----------------|-----|-------| | 1 | **louicent19@gmail.com** | **louicent19gmail-com** | https://dgi.gouv.ht | **EMAIL AS DISPLAY NAME -- admin account** | | 2 | Jodelin Desrameaux | **jodelin** | http://inno100.tech | Developer (external URL) | | 27 | La DGI | **dgi** | -- | Institutional account | | 30 | **saintfequel@gmail.com** | **saintfequelgmail-com** | -- | **EMAIL AS DISPLAY NAME** | | 31 | Fequelson Saint-Cyr | **2010** | http://dgi.gouv.ht | Slug is numeric "2010" | ### Key Observations - **CRITICAL: Two user accounts expose personal Gmail addresses as display names** (louicent19@gmail.com, saintfequel@gmail.com). This is a major PII leak. - User "Jodelin Desrameaux" links to inno100.tech -- likely the contractor/developer who built the site. - readme.html is fully accessible, confirming WordPress installation and potentially revealing version. - API root is 474KB -- extremely verbose, exposing every route and plugin namespace. - Same LiteSpeed .bak extension blocking pattern as md.gouv.ht (both on Hostinger). --- ## SITE 3: igf.gouv.ht (Inspector General of Finance) ### Tech Stack - **Framework:** Next.js (React) -- NOT WordPress - **Server:** Vercel - **Hosting:** Vercel (serverless) - **Language:** fr (French) - **SSL:** Yes (HTTP 308 -> HTTPS) - **Security:** Vercel WAF with challenge/deny rules - **CSP reveals:** admin.igf.gouv.ht (admin backend), ws-us3.pusher.com (real-time), YouTube embeds, Vercel Live - **HSTS:** max-age=63072000 (2 years) with includeSubDomains and preload ### Probe Results | Endpoint | HTTP Status | Notes | |----------|------------|-------| | /wp-config.php.bak | **403 FORBIDDEN** | **Vercel WAF: X-Vercel-Mitigated: deny** | | /wp-config.php~ | **403 FORBIDDEN** | Vercel WAF deny | | /wp-config.php.old | **403 FORBIDDEN** | Vercel WAF deny | | /wp-config.php.save | **403 FORBIDDEN** | Vercel WAF deny | | /wp-config.php.swp | **403 FORBIDDEN** | Vercel WAF deny | | /wp-config.txt | **403 FORBIDDEN** | Vercel WAF challenge | | /.wp-config.php.bak | **403 FORBIDDEN** | Vercel WAF challenge | | /web.config | 404 | Not found (custom Next.js 404 page) | | /.env | 404 | Not found | | /wp-content/ | **403 FORBIDDEN** | Vercel WAF challenge | | /wp-json/wp/v2/users | **403 FORBIDDEN** | Vercel WAF challenge | | /wp-json/ | **403 FORBIDDEN** | Vercel WAF challenge | | /readme.html | **403 FORBIDDEN** | Vercel WAF challenge | | /xmlrpc.php | **403 FORBIDDEN** | Vercel WAF challenge | | /wp-login.php | **403 FORBIDDEN** | Vercel WAF challenge | ### Key Observations - **This is NOT a WordPress site.** It is a modern Next.js application deployed on Vercel. - **ALL 403 responses are from Vercel's WAF** (Web Application Firewall), not from file existence. Vercel blocks suspicious paths (.php, .bak, wp-* patterns) by default. - The `X-Vercel-Mitigated: deny` and `X-Vercel-Mitigated: challenge` headers confirm WAF rules. - The CSP header leaks that there is an admin panel at `admin.igf.gouv.ht`. - Real-time functionality via Pusher WebSockets (ws-us3.pusher.com). - **No actual config file exposure risk** -- this is the most hardened site of the five. --- ## SITE 4: dinepa.gouv.ht (Water & Sanitation Authority / DINEPA) ### Tech Stack - **CMS:** WordPress - **Server:** Cloudflare (origin server unknown -- headers stripped) - **CDN/WAF:** Cloudflare - **Language:** fr-CA - **SSL:** Yes (HTTP 301 -> HTTPS) - **Canonical Domain:** www.dinepa.gouv.ht (redirects from bare domain) - **Site Title:** "DINEPA -- Direction Nationale de l'Eau Potable et de l'Assainissement" - **Timezone:** America/Port-au-Prince (GMT-5) - **Plugins:** Formidable Forms, All in One SEO, Contact Form 7, PDA Lite, PWA for WP, WP Slick Slider, WP Post Slider - **Security:** Cloudflare Turnstile on login page ### Probe Results | Endpoint | HTTP Status | Notes | |----------|------------|-------| | /wp-config.php.bak | **403 FORBIDDEN** | **Cloudflare WAF block: "Sorry, you have been blocked"** | | /wp-config.php~ | **403 FORBIDDEN** | Cloudflare WAF block | | /wp-config.php.old | **403 FORBIDDEN** | Cloudflare WAF block | | /wp-config.php.save | **403 FORBIDDEN** | Cloudflare WAF block | | /wp-config.php.swp | **403 FORBIDDEN** | Cloudflare WAF block | | /.wp-config.php.bak | **403 FORBIDDEN** | Cloudflare WAF block | | /wp-config.txt | 301 -> www | Redirects to www subdomain (WordPress redirect) | | /web.config | 301 -> www | Redirects to www subdomain | | /.env | 301 -> www | Redirects to www subdomain | | /wp-content/ | **200 OK** | Empty response (directory exists) | | /wp-json/wp/v2/users | **200 OK** | **USER ENUMERATION -- 3 users returned** | | /wp-json/ | **200 OK** | Full API root exposed | | /readme.html | **200 OK** | **WordPress readme FULLY ACCESSIBLE** | | /xmlrpc.php | **405 Method Not Allowed** | **ACTIVE -- accepts POST** | | /wp-login.php | **200 OK** | **LOGIN PAGE FULLY ACCESSIBLE** (with Cloudflare Turnstile) | ### Enumerated Users (dinepa.gouv.ht) | ID | Name | Slug (Username) | URL | |----|------|-----------------|-----| | 1 | Communication DINEPA | **communication-dinepa** | https://www.dinepa.gouv.ht | | 41 | DINEPA HT | **dinepa-ht** | https://www.dinepa.gouv.ht/ | | 44 | Belonny Fernando Baptiste | **belonyfb** | -- | ### Key Observations - **Cloudflare WAF blocks .php.bak / .php~ patterns** with a hard block page ("Sorry, you have been blocked"). This is Cloudflare's managed ruleset, NOT necessarily indicating the files exist. - **wp-login.php is fully accessible** with a proper login form. Protected by Cloudflare Turnstile (CAPTCHA) but still enumerable. - readme.html exposed, enabling WordPress version fingerprinting. - The site redirects bare domain to www -- some probe paths that hit the origin (before WordPress redirect) get Cloudflare WAF blocks, while paths that WordPress handles first get 301 redirects to www. - XML-RPC active. --- ## SITE 5: menfp.gouv.ht (Education Ministry / MENFP) ### Tech Stack - **Framework:** Express.js (Node.js) -- NOT WordPress - **Server:** nginx (reverse proxy) - **Language:** Unknown - **SSL:** HTTPS only (HTTP port 80 times out) - **Headers:** X-Powered-By: Express, Access-Control-Allow-Origin: * - **Last-Modified:** Sun, 16 Nov 2025 (static site, not updated recently) ### Probe Results | Endpoint | HTTP Status | Notes | |----------|------------|-------| | /wp-config.php.bak | **403 FORBIDDEN** | **nginx 403** | | /wp-config.php~ | **403 FORBIDDEN** | nginx 403 | | /wp-config.php.old | **403 FORBIDDEN** | nginx 403 | | /wp-config.php.save | **403 FORBIDDEN** | nginx 403 | | /wp-config.php.swp | **403 FORBIDDEN** | nginx 403 | | /wp-config.txt | **403 FORBIDDEN** | nginx 403 | | /.wp-config.php.bak | **403 FORBIDDEN** | nginx 403 | | /web.config | **403 FORBIDDEN** | nginx 403 | | /.env | **403 FORBIDDEN** | nginx 403 | | /wp-content/ | 404 | "Cannot GET /wp-content/" (Express error) | | /wp-json/wp/v2/users | 404 | "Cannot GET /wp-json/wp/v2/users" (Express error) | | /wp-json/ | 404 | "Cannot GET /wp-json/" (Express error) | | /readme.html | 404 | "Cannot GET /readme.html" (Express error) | | /xmlrpc.php | 404 | "Cannot GET /xmlrpc.php" (Express error) | | /wp-login.php | 404 | "Cannot GET /wp-login.php" (Express error) | ### Key Observations - **This is NOT a WordPress site.** It is an Express.js (Node.js) application behind nginx. - **ALL 403 responses come from nginx**, not from file existence. The nginx configuration has a blanket deny rule for certain file patterns/extensions (.php, .bak, .env, .config, etc.). - The 404 responses from Express.js ("Cannot GET /path") confirm the app server has no WordPress routes. - **No real config file exposure risk** -- the 403s are a generic nginx security rule, not evidence of existing files. - HTTP port 80 does not respond (connection timeout), only HTTPS works. - `Access-Control-Allow-Origin: *` is set, which could allow cross-origin data exfiltration if any sensitive endpoints exist. --- ## 403 ANALYSIS: Real Files vs WAF Rules This is the critical question -- does 403 mean the file exists, or is it a blanket security rule? ### Confirmed as WAF/Server-Level Blocking (NOT file evidence): - **igf.gouv.ht** -- Vercel WAF blocks ALL suspicious patterns. `X-Vercel-Mitigated: deny` confirms this. Site is not even WordPress. - **menfp.gouv.ht** -- nginx blocks ALL dotfile/PHP extensions with identical 403 pages. Site is Express.js, not WordPress. - **dinepa.gouv.ht** -- Cloudflare WAF blocks .php.bak patterns. The "Sorry, you have been blocked" page is Cloudflare's managed rule, not origin server. ### Likely Real File Existence (requires further investigation): - **md.gouv.ht** -- LiteSpeed/Hostinger blocks .bak/.old/.swp extensions server-wide. However, /web.config returns 404 (not 403), and /.env returns 404 (not 403), which means the server DOES differentiate between existing-but-blocked files and non-existent files. The fact that wp-config variants return 403 while other files return 404 is significant. - **dgi.gouv.ht** -- Same Hostinger/LiteSpeed platform, same pattern. Same 403 vs 404 differentiation. Same conclusion. **Verdict for md.gouv.ht and dgi.gouv.ht:** The LiteSpeed server on Hostinger returns 404 for files that don't exist (.env, web.config) and 403 for wp-config backup variants. This strongly suggests that **at minimum the wp-config.php.bak file exists on both servers** and LiteSpeed is blocking access to it. However, it could also be a LiteSpeed rule that specifically targets `wp-config*` patterns with 403 regardless of file existence. Further testing with a non-existent but similarly-named file (e.g., /wp-config.php.xyz) would disambiguate. --- ## WORDPRESS USER ENUMERATION -- FULL DUMP ### md.gouv.ht (2 users) ```json [ {"id": 1, "name": "PRL", "slug": "admindev", "url": "https://md.gouv.ht"}, {"id": 5, "name": "Jean Guiteau LAFAYE", "slug": "ljguy"} ] ``` ### dgi.gouv.ht (5 users) ```json [ {"id": 1, "name": "louicent19@gmail.com", "slug": "louicent19gmail-com", "url": "https://dgi.gouv.ht"}, {"id": 2, "name": "Jodelin Desrameaux", "slug": "jodelin", "url": "http://inno100.tech"}, {"id": 27, "name": "La DGI", "slug": "dgi"}, {"id": 30, "name": "saintfequel@gmail.com", "slug": "saintfequelgmail-com"}, {"id": 31, "name": "Fequelson Saint-Cyr", "slug": "2010", "url": "http://dgi.gouv.ht"} ] ``` ### dinepa.gouv.ht (3 users) ```json [ {"id": 1, "name": "Communication DINEPA", "slug": "communication-dinepa", "url": "https://www.dinepa.gouv.ht"}, {"id": 41, "name": "DINEPA HT", "slug": "dinepa-ht", "url": "https://www.dinepa.gouv.ht/"}, {"id": 44, "name": "Belonny Fernando Baptiste", "slug": "belonyfb"} ] ``` **Total enumerated users across all sites: 10** --- ## NOTABLE INFRASTRUCTURE FINDINGS ### Shared Hosting (md.gouv.ht + dgi.gouv.ht) Both the Ministry of Defense and the Tax Authority are hosted on **Hostinger** shared hosting (hpanel). Custom headers leak this: ``` platform: hostinger panel: hpanel Server: LiteSpeed ``` This means both government sites share infrastructure with potentially thousands of other Hostinger customers. A compromise of the shared hosting environment could affect both sites simultaneously. ### Developer Attribution (dgi.gouv.ht) User "Jodelin Desrameaux" (slug: jodelin) with URL http://inno100.tech appears to be the developer/contractor who built the DGI site. ### Admin Panel Discovery (igf.gouv.ht) The Content-Security-Policy header on igf.gouv.ht reveals: ``` connect-src 'self' https://admin.igf.gouv.ht ... ``` This exposes the existence of a separate admin backend at `admin.igf.gouv.ht`. ### Email Addresses Leaked (dgi.gouv.ht) Two personal Gmail addresses are exposed as WordPress display names: - louicent19@gmail.com (admin account, user ID 1) - saintfequel@gmail.com (user ID 30) --- ## EXPOSED API NAMESPACES ### md.gouv.ht ithemes-security/rpc, ithemes-security/v1, oembed/1.0, code-snippets/v1, elementor-one/v1, zipwp/v1, brave/v1, astra/v1, elementor/v1, elementor-ai/v1, hub-connector/v1, one-onboarding/v1, forminator/v1, wpmudev_pcs/v1, getting-started/v1, zipwp-images/v1, nps-survey/v1, gutenberg-templates/v1, bsf-core/v1, wp/v2, wp-site-health/v1, wp-block-editor/v1, wp-abilities/v1 ### dgi.gouv.ht oembed/1.0, aioseo/v1, betterdocs/v1, contact-form-7/v1, essential-blocks/v1, hostinger-easy-onboarding/v1, litespeed/v1, litespeed/v3, redirection/v1, mc4wp/v1, monsterinsights/v1, hostinger-ai-assistant/v1, hostinger-amplitude/v1, hostinger-tools-plugin/v1, google-site-kit/v1, betterdocs, elementor/v1, wpforms/v1, wp/v2, wp-site-health/v1, wp-block-editor/v1 ### dinepa.gouv.ht frm-admin/v1, oembed/1.0, aioseo/v1, contact-form-7/v1, pda-lite/v1, pwa-for-wp/v2, wprps-post-slider/v1, wp-slick-slider-and-image-carousel/v1, wp/v2, wp-site-health/v1, wp-block-editor/v1 --- ## FILES SAVED All raw probe results (headers + bodies) saved per-site at: ``` C:\Users\Squir\Desktop\HAITI\DUMP\GOVHT-PROBE\ md.gouv.ht\ (16 files) dgi.gouv.ht\ (16 files) igf.gouv.ht\ (16 files) dinepa.gouv.ht\ (16 files) menfp.gouv.ht\ (16 files) probe-results.md (this file) ``` --- ## RECOMMENDED NEXT STEPS 1. **Disambiguate 403 on md.gouv.ht / dgi.gouv.ht:** Request a non-existent wp-config variant (e.g., /wp-config.php.xyz) to confirm if LiteSpeed returns 404 or 403 -- this will prove whether the .bak files truly exist. 2. **Try ?author=N enumeration:** On the three WP sites, try /?author=1 through /?author=50 to find additional users not exposed via the REST API. 3. **Probe admin.igf.gouv.ht:** The CSP header leaked this admin backend domain. 4. **WordPress version fingerprinting:** Parse the exposed readme.html on dgi.gouv.ht and dinepa.gouv.ht to determine exact WordPress versions. 5. **XML-RPC exploitation test:** Send a system.listMethods POST to xmlrpc.php on md/dgi/dinepa to enumerate available methods. 6. **Gravatar hash reversal:** The SHA256 gravatar hashes from user enumeration can be used to confirm email addresses. 7. **Plugin vulnerability scanning:** With the full plugin list exposed via wp-json, check each plugin version against known CVEs. 8. **www.dinepa.gouv.ht direct probing:** The bare domain redirects to www -- probe the www subdomain directly to bypass the Cloudflare WAF redirect chain.