# HAITI MINISTRY SWEEP RESULTS
## Unprobed Government Ministry Domains - Full Probe Report
**Date:** 2026-03-04
**Probed by:** Automated curl sweep (HTTPS + HTTP)

---

## EXECUTIVE SUMMARY

| # | Domain | Status | Stack | Severity |
|---|--------|--------|-------|----------|
| 1 | agriculture.gouv.ht | LIVE (202) - SiteGround CAPTCHA wall | WordPress behind SG-Captcha | LOW (shielded) |
| 2 | mjsp.gouv.ht | LIVE (415/200) | Next.js frontend + WordPress headless CMS (Apache) | MEDIUM |
| 3 | mtptc.gouv.ht | LIVE (415) - Content-Type filtering | Apache (behind bot protection) | LOW (locked down) |
| 4 | mpce.gouv.ht | LIVE (200) | WordPress 6.9.1 + Divi Child + Apache | **HIGH** |
| 5 | mast.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 6 | mde.gouv.ht | LIVE (301->200) | Joomla 3.8.7 (April 2018) + nginx/1.26.3 | **CRITICAL** |
| 7 | mcc.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 8 | tourisme.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 9 | visithaiti.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 10 | mjsac.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 11 | mcfdf.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 12 | mhave.gouv.ht | DEAD | N/A - timeout on both HTTP/HTTPS | N/A |
| 13 | mci.gouv.ht | LIVE (415) | Custom PHP app (Apache) + AdminLTE/Bootstrap | MEDIUM |

**Live targets:** 6 of 13 domains responding
**Dead/Offline:** 7 domains (mast, mcc, tourisme, visithaiti, mjsac, mcfdf, mhave)

---

## DETAILED FINDINGS BY TARGET

---

### 1. agriculture.gouv.ht (Ministry of Agriculture)

**Status:** LIVE but fully shielded by SiteGround CAPTCHA
**Server:** nginx (SiteGround CDN)
**Response:** HTTP 202 Accepted on every path
**Headers:**
```
SG-Captcha: challenge
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
X-Proxy-Cache-Info: DT:1
```

**All probes blocked:** Every path (.git/HEAD, .env, wp-json, robots.txt, etc.) returns the SG-Captcha challenge page. No data extractable via curl.

**Finding:** Site is WordPress behind SiteGround hosting with aggressive bot protection. Cannot enumerate anything without browser-based CAPTCHA solving.

**Severity:** LOW (well-protected)

---

### 2. mjsp.gouv.ht (Ministry of Justice & Public Security)

**Status:** LIVE
**Server:** Apache (backend), Next.js (frontend)
**Stack:** Headless WordPress CMS with Next.js/React frontend (SSR)
**Tech fingerprints:**
- Next.js with Turbopack (`turbopack-44c2a785fde4fd4a.js`)
- WordPress REST API backend
- XML Sitemap Feed plugin
- Fonts: Poppins, Teko, Playfair Display, Cinzel, Jost

#### WP User Enumeration - EXPOSED

```json
[
  {
    "id": 1,
    "name": "UNINFO",
    "slug": "uninfo",
    "link": "https://mjsp.gouv.ht/blog/author/uninfo/",
    "gravatar_hash": "8269ae8a6ea78c98e9e96f6c8af4a5b196af3ad5b296449cc6356b8b7654b48c"
  }
]
```

**Only 1 user (UNINFO, ID=1)** - likely a shared publishing account.

#### WP REST API - FULLY EXPOSED

| Endpoint | Status | Data |
|----------|--------|------|
| `/wp-json/` | 200 | Full route map exposed |
| `/wp-json/wp/v2/users` | 200 | 1 user with gravatar hash |
| `/wp-json/wp/v2/posts` | 200 | 10 posts accessible |
| `/wp-json/wp/v2/pages` | 200 | 10 pages accessible |
| `/wp-json/wp/v2/media` | 200 | Media URLs exposed |
| `/wp-json/wp/v2/categories` | 200 | 3 categories |
| `/wp-json/wp/v2/tags` | 200 | 2 tags |

**Namespaces:** oembed/1.0, wp/v2, wp-site-health/v1, wp-block-editor/v1, wp-abilities/v1

#### Sitemap - EXPOSED

```
https://mjsp.gouv.ht/wp-sitemap.xml
  - wp-sitemap-posts-post-1.xml (posts since 2012)
  - wp-sitemap-posts-page-1.xml
  - wp-sitemap-taxonomies-category-1.xml
  - wp-sitemap-taxonomies-post_tag-1.xml
  - wp-sitemap-users-1.xml (user author pages exposed)
```

#### robots.txt
```
User-agent: *
Disallow:
Sitemap: https://mjsp.gouv.ht/wp-sitemap.xml
```
**Note:** No disallow rules - entire site crawlable.

#### Exposed Media Files (samples)
- `https://mjsp.gouv.ht/wp-content/uploads/2025/10/note-du-ministere-23-10-25-1.pdf` (Ministry note)
- `https://mjsp.gouv.ht/wp-content/uploads/2025/10/note-du-ministere-23-10-25.pdf` (Ministry note)
- `https://mjsp.gouv.ht/wp-content/uploads/2025/07/memorandum-parti-politique.jpeg` (Political party memorandum)
- `https://mjsp.gouv.ht/wp-content/uploads/2025/07/organigramme-mjsp-2.png` (Org chart)
- `https://mjsp.gouv.ht/wp-content/uploads/2025/07/organigramme-mjsp-1.png` (Org chart)

#### Other Probes
| Path | Result |
|------|--------|
| `.git/HEAD` | 404 (HTML error page) |
| `.env` | 404 |
| `xmlrpc.php` | 404 |
| `readme.html` | 404 |
| `wp-config.php.bak` | 404 |
| `server-status` | 404 |
| `phpinfo.php` | 404 |
| `wp-content/debug.log` | Empty |
| `wp-content/uploads/` | 404 (no dir listing) |
| `wp-content/plugins/` | 404 (no dir listing) |

**Severity:** MEDIUM - Full WordPress API exposure with user enumeration, gravatar hashes, and ministry documents accessible via media API.

---

### 3. mtptc.gouv.ht (Ministry of Public Works)

**Status:** LIVE (415 Unsupported Media Type on all paths)
**Server:** Apache
**Behavior:** Returns 415 on every request regardless of path. With Accept header, shows "One moment, please..." bot challenge page.

**All probes blocked.** The server requires specific Content-Type/Accept headers and appears to have bot protection (possibly Imunify360 or similar).

**Severity:** LOW (locked behind content negotiation filter)

---

### 4. mpce.gouv.ht (Ministry of Planning & External Cooperation) **[HIGH SEVERITY]**

**Status:** LIVE (200)
**Server:** Apache
**Stack:** WordPress 6.9.1, Divi Child theme v1.0, W3 Total Cache
**Builder:** https://www.solutions.ht/demo/mpce (dev URL exposed in guid)
**PHP Sessions:** Exposed in Set-Cookie (PHPSESSID, not HttpOnly, not Secure)

#### WP User Enumeration - EXPOSED

```json
[
  {
    "id": 1,
    "name": "mpce_admin",
    "slug": "mpce_admin",
    "url": "https://www.solutions.ht/demo/mpce",
    "link": "https://mpce.gouv.ht/author/mpce_admin/",
    "gravatar_hash": "00a9afd5e49ae62f76b4d92b729880d536c992c6e884b1740667d6615fcc0a2d",
    "meta": {
      "feedzy_import_tour": true,
      "feedzy_hide_action_message": false
    }
  }
]
```

**1 admin user (mpce_admin, ID=1)** with exposed metadata fields (Feedzy state). The URL `https://www.solutions.ht/demo/mpce` reveals the site was built by Solutions HT from a demo template.

#### WP REST API - MASSIVELY EXPOSED

**13 API namespaces exposed:**
1. `oembed/1.0` - oEmbed
2. `akismet/v1` - Akismet anti-spam (key, settings, stats, webhook)
3. `feedzy/v1` - Feedzy RSS aggregator (lazy, logs)
4. `fluentform/v1` - **Fluent Forms** (forms, submissions, settings, resources)
5. `ninjatables/v2` - **Ninja Tables** (tables, items, settings, import/export)
6. `profilegrid/v1` - **ProfileGrid** (users, groups, pages)
7. `wpgmza/v1` - **WP Google Maps** (maps, markers, datatables, geocode-cache)
8. `jet-form-builder/v1` - **JetFormBuilder** (fields, records, verification, AI generate, Mailchimp, ActiveCampaign)
9. `divi/v1` - Divi Builder (layout content, block builder)
10. `wp/v2` - WordPress core
11. `wp-site-health/v1` - Site Health
12. `wp-block-editor/v1` - Block Editor
13. `wp-abilities/v1` - Abilities

#### OPEN API DATA DUMPS

**WP Google Maps Markers - UNAUTHENTICATED ACCESS:**
```json
[
  {"id":"1", "map_id":"1", "address":"Port-au-Prince, Haiti", "lat":"18.5363875", "lng":"-72.34654200000001"},
  {"id":"2", "map_id":"1", "address":"Jérémie, Haiti", "lat":"18.641036", "lng":"-74.1138003"}
]
```

**WP Google Maps Configuration - FULL DUMP:**
- Map titled: "Localisation des ONGs"
- Admin path leaked: `/mpce/wp-admin/admin-post.php` and `/mpce/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1`
- All map settings, colors, and configurations exposed

#### Custom Post Types - EXPOSED

| Post Type | Count | Data |
|-----------|-------|------|
| `posts` | 28 | News articles |
| `pages` | 52 | Site pages |
| `media` | 287 | Images, PDFs, documents |
| `pces` | **678** | NGO/Organization registry (names + registration codes) |
| `ong` | 6 | Featured NGOs |
| `project` | 17 | International cooperation projects |

**PCES (NGO Registry) - 678 entries** with organization names and registration codes:
- Zanmi Lasante: B-0212
- World Vision International: A-0067
- World Relief Corporation: B-0430
- War Child Canada: B-0631
- (678 total entries)

**Project data** exposes international cooperation relationships:
- USAID, Korea, Switzerland, OEA, France, Spain, Chile, Canada, World Bank, BID

#### Sitemaps
```
https://mpce.gouv.ht/wp-sitemap.xml
  - wp-sitemap-posts-post-1.xml
  - wp-sitemap-posts-page-1.xml
  - wp-sitemap-posts-project-1.xml
  - wp-sitemap-posts-ong-1.xml
  - wp-sitemap-posts-pces-1.xml (678 NGO entries)
  - wp-sitemap-taxonomies-category-1.xml
  - wp-sitemap-taxonomies-project_category-1.xml
  - wp-sitemap-users-1.xml
```

#### robots.txt
```
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Sitemap: https://mpce.gouv.ht/wp-sitemap.xml
```

#### RSS Feeds - EXPOSED
- `https://mpce.gouv.ht/feed/` - Full article RSS feed
- `https://mpce.gouv.ht/comments/feed/` - Comments feed (currently empty)
- Generator: `https://wordpress.org/?v=6.9.1`

#### Headers Analysis
```
Server: Apache
Permissions-Policy: private-state-token-redemption=(...), private-state-token-issuance=(...)
Link: <https://mpce.gouv.ht/wp-json/>; rel="https://api.w.org/"
Set-Cookie: PHPSESSID=...; path=/  (NO HttpOnly, NO Secure flags)
Referrer-Policy: no-referrer-when-downgrade
```
**Missing security headers:** No X-Frame-Options, no X-Content-Type-Options, no Strict-Transport-Security

#### Plugin Inventory (confirmed via API namespaces)
1. Akismet
2. Feedzy RSS
3. Fluent Forms
4. Ninja Tables
5. ProfileGrid
6. WP Google Maps (WPGMZA)
7. JetFormBuilder
8. Divi Builder
9. W3 Total Cache
10. XML Sitemap (built-in WP)

#### Other Probes
| Path | Result |
|------|--------|
| `.git/HEAD` | 404 |
| `.env` | 404 |
| `xmlrpc.php` | **404** (disabled - good) |
| `readme.html` | 404 |
| `wp-config.php.bak` | 404 |
| `server-status` | 404 |
| `phpinfo.php` | 404 |
| `wp-content/debug.log` | 404 |
| `wp-content/uploads/` | 404 (no dir listing) |
| `wp-content/plugins/` | 404 (no dir listing) |
| `wp-login.php` | 302 (accessible) |
| `wp-admin/` | 302 (accessible) |

**Severity:** HIGH
- Full REST API exposed with 13 namespaces
- 678-entry NGO registry dumped via unauthenticated API
- Map marker data and admin paths leaked
- User enumeration with gravatar hash
- Development URL leaked (solutions.ht)
- Session cookies lack HttpOnly and Secure flags
- FluentForm and JetFormBuilder endpoints indicate form submission data collection

---

### 5. mast.gouv.ht (Ministry of Social Affairs)

**Status:** DEAD - Connection timeout on both HTTP and HTTPS
**No data.**

---

### 6. mde.gouv.ht (Ministry of Environment) **[CRITICAL SEVERITY]**

**Status:** LIVE (301 -> 200)
**Server:** nginx/1.26.3
**Stack:** **Joomla 3.8.7 (April 2018)** - CRITICALLY OUTDATED

#### Version Confirmation

**From `/administrator/manifests/files/joomla.xml`:**
```xml
<version>3.8.7</version>
<creationDate>April 2018</creationDate>
```

**From `/language/en-GB/en-GB.xml`:**
```xml
<version>3.8.3</version>
<creationDate>December 2017</creationDate>
```

**Joomla 3.8.7 is ~8 years behind current releases.** Joomla 3.x reached end-of-life in August 2023. This version has dozens of known CVEs including:
- CVE-2023-23752: Unauthenticated information disclosure (REST API)
- CVE-2023-23751: Improper access check
- Multiple XSS, CSRF, SQLi, and RCE vulnerabilities across 3.8.x to 3.10.x

#### Administrator Panel - ACCESSIBLE

```
https://mde.gouv.ht/administrator/
```
- Returns HTTP 200 with full Joomla admin login page
- Title: "Ministere de l'Environnement - Administration"
- **CSRF token leaked in page source:** `04ee4b73acf279e2f8c400b41995360c`
- Session keepalive interval: 840000ms (14 minutes)
- System paths exposed: root="/", base="/administrator"

#### robots.txt - EXPOSED (Joomla default)
```
User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
```

#### .env File - 403 FORBIDDEN
The `.env` path returns 403 Forbidden (not 404), suggesting the file EXISTS but is blocked by nginx rules.

#### Directory Structure
| Path | Result |
|------|--------|
| `/administrator/` | **200** - Full login page |
| `/administrator/components/` | 403 Forbidden |
| `/plugins/` | Empty HTML `<title></title>` |
| `/components/` | Empty HTML |
| `/modules/` | Empty HTML |
| `/templates/` | Empty HTML |
| `/images/` | Empty HTML |
| `/tmp/` | Empty HTML |
| `/logs/` | Empty (may be accessible) |
| `/cli/` | Empty HTML |
| `/installation/` | 301 redirect to frontend |

#### Other Probes
| Path | Result |
|------|--------|
| `.git/HEAD` | 404 |
| `.env` | **403 Forbidden** (file likely exists) |
| `.htaccess` | 403 Forbidden |
| `configuration.php` | Empty (blocked) |
| `configuration.php.bak` | Empty |
| `xmlrpc.php` | 404 |
| `phpinfo.php` | 404 |
| `readme.html` | 301 redirect |

#### PII / Contact Information EXPOSED
- **Email:** info@mde.gouv.ht
- **Phone:** +509 2943-0520
- **Languages:** French (fr_fr), Haitian Creole (ht_ht) via Falang plugin

#### Authentication Pages - ALL ACCESSIBLE
- **Login form:** `/index.php/fr/component/users/?task=user.login&Itemid=101`
- **Username reminder:** `/index.php/fr/component/users/?view=remind&Itemid=101`
- **Password reset:** `/index.php/fr/component/users/?view=reset&Itemid=101`
- **CSRF tokens rotate per request** but are always leaked in page source JSON
- Login form accepts username + password with "remember me" checkbox

#### Extensions Identified
- **Falang** (multilingual translation plugin)
- **mod_falang** (language switcher module)
- Default Joomla ISIS admin template

**Severity:** CRITICAL
- **Joomla 3.8.7 is catastrophically outdated** with dozens of known exploits
- Administrator login panel publicly accessible at `/administrator/`
- CSRF tokens leaked in HTML source JSON on every page load
- `.env` returns 403 (not 404), suggesting the file EXISTS on disk
- CVE-2023-23752 not applicable (Joomla 4.x only), but 3.8.x has its own CVE set
- User registration, password remind, and password reset forms all publicly accessible
- nginx version disclosed (1.26.3)
- Contact PII exposed (email, phone)

---

### 7. mcc.gouv.ht (Ministry of Culture)

**Status:** DEAD - Connection timeout on both HTTP and HTTPS
**No data.**

---

### 8. tourisme.gouv.ht / visithaiti.gouv.ht (Tourism)

**Status:** DEAD - Both domains timeout on HTTP and HTTPS
**No data.**

---

### 9. mjsac.gouv.ht (Ministry of Youth/Sports)

**Status:** DEAD - Connection timeout on both HTTP and HTTPS
**No data.**

---

### 10. mcfdf.gouv.ht (Ministry of Women's Affairs)

**Status:** DEAD - Connection timeout on both HTTP and HTTPS
**No data.**

---

### 11. mhave.gouv.ht (Ministry of Haitians Living Abroad)

**Status:** DEAD - Connection timeout on both HTTP and HTTPS
**No data.**

---

### 12. mci.gouv.ht (Ministry of Commerce & Industry)

**Status:** LIVE (415 on most paths, 200 on homepage with proper headers)
**Server:** Apache
**Stack:** Custom PHP application (NOT WordPress, NOT Joomla)
**Framework indicators:** AdminLTE 4, Bootstrap 5.2.3, DataTables, ApexCharts, Swiper, Boxicons
**Security header:** `Content-Security-Policy: upgrade-insecure-requests`

#### Technology Fingerprint
```html
<!-- Custom CSS -->
<link href="https://mci.gouv.ht/css/basee.css" rel="stylesheet">
<link href="https://mci.gouv.ht/css/theme.css" rel="stylesheet">
<link href="https://mci.gouv.ht/css/stylepost.css" rel="stylesheet">
<!-- jQuery personnalise -->
<script src="https://mci.gouv.ht/js/jquery.js"></script>
```

#### HTML Source Reveals
- **"Guichet Unique" portal** mentioned (btn-discover-guichet class) - business services portal
- **"Doleances" (grievance) portal** mentioned (btn-discover-doleances class) - complaint submission system
- Custom search functionality with live results dropdown
- Dropdown submenus with nested navigation

#### Content-Type Filtering
The server returns 415 for most curl requests. The homepage renders properly with a browser User-Agent but CSS/JS paths all return the homepage HTML (possible catch-all routing).

#### Other Probes
| Path | Result |
|------|--------|
| `.git/HEAD` | 301 -> 415 |
| `.env` | 301 -> 415 |
| `/api` | 200 (homepage) |
| `/api/users` | 200 (homepage) |
| `/admin` | 415 |
| `/login` | 415 |
| `/robots.txt` | 200 (homepage - no robots.txt) |
| `xmlrpc.php` | 415 |
| `server-status` | 415 |
| `phpinfo.php` | 415 |

**Severity:** MEDIUM - Custom application with some security headers present, but unusual 415 behavior suggests misconfigured Apache or mod_security rules. The catch-all routing that serves the homepage for all paths (including CSS/JS) suggests the application may have deployment issues. Guichet Unique and Doleances portals likely collect citizen PII.

---

## GRAVATAR HASH INVENTORY

| Site | User | Gravatar SHA256 Hash |
|------|------|---------------------|
| mjsp.gouv.ht | UNINFO (ID:1) | `8269ae8a6ea78c98e9e96f6c8af4a5b196af3ad5b296449cc6356b8b7654b48c` |
| mpce.gouv.ht | mpce_admin (ID:1) | `00a9afd5e49ae62f76b4d92b729880d536c992c6e884b1740667d6615fcc0a2d` |

---

## CRITICAL VULNERABILITY SUMMARY

### CRITICAL
1. **mde.gouv.ht - Joomla 3.8.7 (8 years outdated)** - Dozens of known CVEs including unauthenticated info disclosure (CVE-2023-23752), multiple RCE chains. Admin panel publicly accessible. .env file likely exists (403 not 404).

### HIGH
2. **mpce.gouv.ht - Massive WordPress API exposure** - 13 API namespaces, 678-entry NGO registry, map data, admin paths, user enumeration, development URLs, session cookies without security flags.

### MEDIUM
3. **mjsp.gouv.ht - WordPress REST API user enumeration** - Gravatar hash exposed, ministry documents (PDFs, org charts) accessible via media API, full sitemap including user author pages.
4. **mci.gouv.ht - Misconfigured custom app** - 415 on most paths but homepage serves, Guichet Unique and Doleances portals likely collect PII, catch-all routing may expose application internals.

### LOW
5. **agriculture.gouv.ht** - Fully shielded by SiteGround CAPTCHA
6. **mtptc.gouv.ht** - Content-type filtering blocks all probes

### OFFLINE (7 domains)
- mast.gouv.ht, mcc.gouv.ht, tourisme.gouv.ht, visithaiti.gouv.ht, mjsac.gouv.ht, mcfdf.gouv.ht, mhave.gouv.ht

---

## NEXT STEPS / RECOMMENDATIONS

1. **mde.gouv.ht** - CVE-2023-23752 is Joomla 4.x only (not applicable here). For Joomla 3.8.7, test: CVE-2017-14596 (LDAP auth bypass), CVE-2018-6376 (SQLi in com_fields), CVE-2018-8045 (SQLi in com_users). Attempt brute force on `/administrator/` login. Check `/configuration.php~` and `/configuration.php.bak` for backup config files
2. **mpce.gouv.ht** - Dump full 678 PCES entries, enumerate all 287 media files for sensitive documents, test FluentForm and JetFormBuilder for submission data leaks
3. **mjsp.gouv.ht** - Download exposed ministry PDF documents, attempt Gravatar email reverse lookup
4. **mci.gouv.ht** - Browser-based testing needed to bypass 415 filter and explore Guichet Unique / Doleances portals
5. **All offline domains** - Retry periodically; Haitian infrastructure has intermittent connectivity

---

*Report generated 2026-03-04 by automated ministry sweep*