# Haiti Government Web Infrastructure - Passive Reconnaissance Report **Date:** 2026-03-04 **Scope:** communication.gouv.ht, mae.gouv.ht, mspp.gouv.ht **Method:** Passive HTTP GET requests to publicly accessible endpoints only --- ## Site 1: communication.gouv.ht **Organization:** Gouvernement de la Republique d'Haiti - Le Portail de l'Information Gouvernementale ### Tech Stack | Component | Detail | |-----------|--------| | **CMS** | WordPress 6.9.1 (confirmed via generator meta tag) | | **Web Server** | Apache (backend) + nginx/1.25.5 (reverse proxy/cache) | | **Hosting** | Bluehost Shared Hosting (`host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==` decodes to `shared.bluehost.com`) | | **Caching** | Newfold/Endurance cache (X-Newfold-Cache-Level: 2, X-nginx-cache: WordPress) | | **Theme** | townpress | | **Timezone** | America/New_York (GMT-5) | ### Plugins Detected (via WP REST API namespaces) - **Akismet** (akismet/v1) - spam protection - **Wordfence** (wordfence/v1) - security/firewall - **Yoast SEO** (yoast/v1) - SEO management - **MonsterInsights** (monsterinsights/v1) - Google Analytics - **Envira Gallery Convert** (envira-convert/v1) - gallery - **WPForms** (wpforms/v1) - forms - **Autoptimize** - asset optimization (detected in HTML source) ### Security Posture - **WP REST API Users:** BLOCKED (401 Unauthorized - "Sorry, you are not allowed to list users") - **wp-login.php:** BLOCKED (409 Conflict - Bluehost bot protection via `humans_21909` cookie check) - **xmlrpc.php:** BLOCKED (409 Conflict - same bot protection) - **readme.html:** EXPOSED (200) but version string stripped - **.git/HEAD:** Not exposed (404) - **robots.txt:** Open crawl (Disallow empty), Yoast sitemap at `/sitemap_index.xml` - **Authentication:** No application-passwords endpoint exposed ### Sitemap Structure (Yoast) - post-sitemap.xml (x2 pages) - page-sitemap.xml - lsvr_listing-sitemap.xml (custom listing post type) - lsvr_document-sitemap.xml (custom document post type) - lsvr_event-sitemap.xml (custom event post type) - Last modified: 2026-01-16 ### Users Found None - endpoint properly restricted. --- ## Site 2: mae.gouv.ht **Organization:** Ministere des Affaires Etrangeres et des Cultes (Ministry of Foreign Affairs and Religious Affairs) ### Tech Stack | Component | Detail | |-----------|--------| | **CMS** | WordPress (version obscured - generator meta tag removed) | | **Web Server** | Apache (backend) + nginx/1.27.2 (reverse proxy) | | **Hosting** | Bluehost Shared Hosting (same `host-header` as communication.gouv.ht) | | **Theme** | hueman (v7.1.1) | | **Timezone** | GMT-5 (timezone_string empty) | | **Language** | French (error messages in French) | ### Plugins Detected (via WP REST API namespaces + HTML source) **From API namespaces:** - **Akismet** (akismet/v1) - spam protection - **Contact Form 7** (contact-form-7/v1) - forms - **Matomo Analytics** (matomo/v1) - self-hosted analytics - **Yoast SEO** (yoast/v1) - SEO - **Complianz GDPR** (complianz/v1, complianz_tc/v1) - cookie consent/GDPR - **Burst Statistics** (burst/v1) - privacy-friendly analytics - **Contextual Related Posts** (contextual-related-posts/v1) - related content - **MetaSlider** (metaslider/v1) - slider/carousel - **MV Grow Social** (mv-grow-social/v1) - social sharing **From HTML source:** - ml-slider (MetaSlider) - recent-posts-widget-with-thumbnails - tabs-responsive - 3d-flipbook-dflip-lite - responsive-lightbox - social-pug - nimble-builder - wpdiscuz (comment plugin - detected via Set-Cookie header) ### Security Posture - **WP REST API Users:** BLOCKED (401 - French error message: "vous n'etes pas autorise a acceder aux utilisateurs sans authentification") - **wp-login.php:** BLOCKED (409 Conflict - Bluehost bot protection) - **xmlrpc.php:** BLOCKED (409 Conflict) - **readme.html:** EXPOSED (200) but version stripped - **.git/HEAD:** Not exposed (404) - **Generator meta tag:** REMOVED (security hardening) - **Application Passwords:** ENABLED (authorization endpoint at `/wp-admin/authorize-application.php`) - **robots.txt:** Open crawl, WP sitemap at `/wp-sitemap.xml` ### Sitemap Structure (WP Core) - wp-sitemap-posts-post-1.xml - wp-sitemap-posts-page-1.xml - wp-sitemap-posts-rl_gallery-1.xml (Responsive Lightbox gallery) - wp-sitemap-taxonomies-category-1.xml ### Users Found None - endpoint properly restricted. ### Notable - Application Passwords authentication is enabled, which could be a vector if credentials are obtained - Uses significantly more plugins than communication.gouv.ht (larger attack surface) - Cookie set on every request: `wpdiscuz_nonce` (wpDiscuz comment plugin) --- ## Site 3: mspp.gouv.ht **Organization:** Ministere de la Sante Publique et de la Population (Ministry of Public Health and Population) ### Tech Stack | Component | Detail | |-----------|--------| | **CMS** | **Drupal 10.5.6** (confirmed via X-Generator header AND JS asset versions) | | **Web Server** | Apache | | **Custom Theme** | `themes/custom/mspp/` | | **Frontend Framework** | Bootstrap 5.3.3 (CDN: cdn.jsdelivr.net) | | **Font** | Inter (Google Fonts) | | **Icons** | Font Awesome 6.5.1 (CDN: cdnjs.cloudflare.com) | | **Analytics** | Google Analytics 4 (G-QGFGEF08CT) via google_analytics contrib module | | **Language** | English (Content-language: en) | ### Drupal Modules Detected **Contrib:** - google_analytics **Core:** - system ### Security Posture -- SIGNIFICANT ISSUES | Endpoint | Status | Risk | |----------|--------|------| | **/core/CHANGELOG.txt** | **200 EXPOSED** | Confirms Drupal use, version fingerprinting | | **/INSTALL.txt** | **200 EXPOSED** | Information disclosure | | **/README.md** | **200 EXPOSED** | Full Drupal README with repo links | | **/core/install.php** | **200 EXPOSED** | Installer accessible (though site is already installed) | | **/admin/config** | 403 Forbidden | Properly restricted | | **/user/login** | **200 EXPOSED** | Standard Drupal login form publicly accessible | | **/jsonapi** | 404 | JSON:API module not enabled or route not configured | | **/jsonapi/node/article** | 404 | Same | | **/sitemap.xml** | 404 | No sitemap configured | | **.git/HEAD** | 404 | Not exposed | ### Twig Theme Debug Mode -- CRITICAL FINDING **Twig debug mode is ENABLED in production.** The HTML source contains full template debug comments: ```html ``` This reveals: - Full filesystem paths to custom Twig templates - Theme hook suggestions (useful for crafting template injection if other vulns exist) - Template file hierarchy and naming conventions - Custom template locations: `themes/custom/mspp/templates/` - `html.html.twig` - `page.html.twig` - `region--header.html.twig` - `block/block--system-branding-block.html.twig` - `menu--main.html.twig` - `region--footer.html.twig` ### Form Tokens Captured - **form_build_id:** `form-Tv-UYBGykxDq0TW5chGVh5OUu1bef6RGzmT4rlz9erw` (CSRF token on login form) - **Form actions:** `/mspp_drupal/recherche` (search), `/user/login` (auth) ### CSS Asset Cache Buster - All CSS/JS assets use `?t9j54c` cache buster, indicating a specific deployment timestamp ### Users Found None enumerated (JSON:API disabled, no user listing endpoint found). ### Drupal Version Details - **Exact version: 10.5.6** (from `drupalSettingsLoader.js?v=10.5.6`) - Drupal 10.5.6 release: December 2025 (recent patch, but check for latest CVEs) --- ## Hosting Summary | Site | CMS | Version | Hosting | Server | |------|-----|---------|---------|--------| | communication.gouv.ht | WordPress | 6.9.1 | Bluehost Shared | Apache + nginx/1.25.5 | | mae.gouv.ht | WordPress | Unknown (hidden) | Bluehost Shared | Apache + nginx/1.27.2 | | mspp.gouv.ht | Drupal | 10.5.6 | Unknown (self-hosted?) | Apache | ### Shared Infrastructure Note Both WordPress sites (communication.gouv.ht and mae.gouv.ht) are hosted on **Bluehost shared hosting** (confirmed by `host-header` base64 value decoding to `shared.bluehost.com`). They share: - Same Newfold Digital caching infrastructure - Same bot protection (409 Conflict with `humans_*` cookie challenge) - Both use Apache behind nginx reverse proxy mspp.gouv.ht appears to be on a different hosting setup (no Bluehost headers, no nginx proxy layer, raw Apache). --- ## Key Findings Summary ### Good Security Practices 1. Both WP sites block user enumeration via REST API (401) 2. Both WP sites have bot protection on wp-login.php and xmlrpc.php 3. No .git directory exposed on any site 4. WP version removed from readme.html on both WP sites 5. mae.gouv.ht has generator meta tag removed (security hardening) ### Security Concerns 1. **mspp.gouv.ht: Twig debug mode enabled in production** -- leaks template paths and internal structure 2. **mspp.gouv.ht: Multiple sensitive files accessible** (INSTALL.txt, README.md, core/install.php, CHANGELOG.txt) 3. **mspp.gouv.ht: Login form publicly accessible** at /user/login with no additional protection 4. **mae.gouv.ht: Application Passwords enabled** -- potential auth vector 5. **mae.gouv.ht: Large plugin surface** (11+ plugins detected) -- each is a potential vulnerability point 6. **mae.gouv.ht: wpdiscuz plugin** sets cookies on every request (potential privacy concern) 7. **All sites: No HSTS headers observed** (Strict-Transport-Security missing) 8. **communication.gouv.ht & mae.gouv.ht: On shared hosting** -- multi-tenant risk --- ## Files Saved ### C:\Users\Squir\Desktop\HAITI\DUMP\COMMUNICATION-GOUV\ - `homepage-headers.txt` - HTTP response headers - `robots-full.txt` - robots.txt with headers - `wp-users.json` - 401 response (blocked) - `wp-json-root.json` - Full WP REST API schema (442KB) - `wp-sitemap.xml` - 301 redirect to Yoast sitemap - `yoast-sitemap-index.xml` - Yoast sitemap index - `readme.html` - WordPress readme (version stripped) ### C:\Users\Squir\Desktop\HAITI\DUMP\MAE-GOUV\ - `homepage-headers.txt` - HTTP response headers - `robots-full.txt` - robots.txt with headers - `wp-users.json` - 401 response (blocked) - `wp-json-root.json` - Full WP REST API schema (278KB) - `wp-sitemap.xml` - WP core sitemap - `readme.html` - WordPress readme (version stripped) ### C:\Users\Squir\Desktop\HAITI\DUMP\MSPP-GOUV\ - `homepage-headers.txt` - HTTP response headers - `robots-full.txt` - Drupal robots.txt with headers - `jsonapi.json` - 404 response (JSON:API disabled) - `changelog.txt` - Drupal CHANGELOG.txt (exposed) - `user-login.html` - Drupal login page (27KB, Twig debug visible) - `sitemap.xml` - 404 response (no sitemap) - `INSTALL.txt` - Drupal install instructions (exposed) - `README.md` - Full Drupal README (exposed)