# Haiti Government Tech Stack Scan **Date:** 2026-03-04 **Method:** curl header inspection, WP REST API enumeration, robots.txt analysis **User-Agent:** Chrome 122 (Windows) --- ## Summary Table | Domain | Status | Server | CMS / Framework | WP API | Notable Findings | |--------|--------|--------|-----------------|--------|------------------| | primature.gouv.ht | 200 | Apache (Bluehost shared) | WordPress + Elementor | **OPEN (200)** -- 4 users leaked | Redirects to www; PHPSESSID exposed; GiveWP plugin; host-header = shared.bluehost.com | | communication.gouv.ht | 200 | Apache (Bluehost shared) | WordPress + Yoast SEO | 401 (locked) | Newfold/Endurance cache layer; Nginx cache for WP; host-header = shared.bluehost.com | | md.gouv.ht | 200 | LiteSpeed (Hostinger hPanel) | WordPress + Elementor | **OPEN (200)** -- 2 users leaked | PHP/8.2.28 exposed; platform=hostinger; panel=hpanel; reCAPTCHA + hCaptcha permissions-policy | | mict.gouv.ht | **500** | Apache | WordPress (broken) | 500 | **SITE DOWN** -- Internal Server Error; previously had web.config credential exposure | | mef.gouv.ht | **415** | openresty/1.27.1.1 | Unknown (behind WAF/proxy) | 415 | Returns 415 Unsupported Media Type on all requests; openresty reverse proxy | | mae.gouv.ht | 200 | Apache (Bluehost shared) | WordPress + Yoast SEO | 401 (locked) | wpDiscuz plugin (comment system) cookie set; host-header = shared.bluehost.com | | mspp.gouv.ht | 415 | Apache | **Drupal 10** | 404 (N/A) | x-generator: Drupal 10; x-frame-options: SAMEORIGIN; no robots.txt (404) | | menfp.gouv.ht | 200 (HTTPS, cert issue) | nginx + Express (Node.js) | **Angular SPA** (custom) | N/A | X-Powered-By: Express; Angular app; author "John Peter THOMAS"; Google Analytics UA-168251399-1; IP: 161.0.132.118; self-signed/expired cert | | dgi.gouv.ht | 200 | LiteSpeed (Hostinger hPanel) | WordPress | **OPEN (200)** -- 5 users leaked | PHP/8.2.29; LiteSpeed cache HIT; platform=hostinger; panel=hpanel; **admin email exposed as username** | | douane.gouv.ht | 200 (via www) | **Apache/2.4.62 (Win64)** | WordPress | 401 (locked) | **WINDOWS SERVER** -- Apache Win64 + OpenSSL/3.1.7 + PHP/8.3.14 + mod_fcgid; self-hosted on Windows | | oni.gouv.ht | **468** | Unknown (custom WAF) | Unknown (behind WAF) | 468 (blocked) | **Custom WAF/Access Denied page** -- HTTP 468 (non-standard); request_id tracking; all paths blocked | | conatel.gouv.ht | 200 | Apache | **Drupal 7** | 404 (N/A) | **PHP/7.0.33** (EOL, critical); x-generator: Drupal 7; extensive robots.txt with Drupal paths; CHANGELOG.txt disallowed | | pnh.ht | **DNS FAIL** | -- | -- | -- | **Domain does not resolve** -- no A record; site completely offline | | brh.ht (www.brh.ht) | 200 | Apache (Bluehost wp) | WordPress + Yoast SEO | **OPEN (200)** -- users leaked | Bare domain has no A record; www.brh.ht works (IP: 162.241.248.20); Jetpack plugin; HSTS enabled; x-frame-options DENY; robots.txt leaks path `/utilities/xyz/1029384756/PressConference/` | | sydonia.douane.gouv.ht | **DNS FAIL** | -- | -- | -- | **No DNS record** -- SYDONIA customs system not publicly accessible | | goaml.ucref.gouv.ht | **DNS FAIL** | -- | -- | -- | **No DNS record** -- goAML anti-money laundering system not publicly accessible | | edeclaration.dgi.gouv.ht | **TIMEOUT** | -- | -- | -- | DNS resolves to 200.4.169.180 but connection times out; tax e-declaration portal unreachable | --- ## Exposed WordPress Users (WP REST API /wp-json/wp/v2/users) ### primature.gouv.ht (Prime Minister's Office) -- 4 users | ID | Display Name | Slug (Username) | Gravatar Hash | Notes | |----|-------------|-----------------|---------------|-------| | 1 | Wilouis | wilfrid_lo | 76219724227ee... | Admin (ID 1); Elementor power user | | 3 | Joreste Payen | joreste | d90afadd60681... | | | 4 | jeanphilippe baptiste | jeanphilippe | b0d7088b226a6... | | | 8 | Clifford TIMOTHE | webmaster | 214ef5f9ee306... | GiveWP campaign metadata | **Plugins detected:** Elementor, GiveWP (donation plugin) ### md.gouv.ht (Ministry of Defense) -- 2 users | ID | Display Name | Slug (Username) | Gravatar Hash | Notes | |----|-------------|-----------------|---------------|-------| | 1 | PRL | admindev | 33e54dec0cd79... | Admin (ID 1); URL: https://md.gouv.ht | | 5 | Jean Guiteau LAFAYE | ljguy | 6b4719d9a34c5... | | **Plugins detected:** Elementor ### dgi.gouv.ht (Tax Authority) -- 5 users | ID | Display Name | Slug (Username) | Gravatar Hash | Notes | |----|-------------|-----------------|---------------|-------| | 1 | **louicent19@gmail.com** | louicent19gmail-com | 78c603f961529... | **EMAIL AS DISPLAY NAME** -- admin account | | 2 | Jodelin Desrameaux | jodelin | d98b9d50d5d3a... | URL: http://inno100.tech (dev's personal site) | | 27 | La DGI | dgi | e85a8c2d9285b... | Official content account | | 30 | **saintfequel@gmail.com** | saintfequelgmail-com | 2dffeebde91af... | **EMAIL AS DISPLAY NAME** | | 31 | Fequelson Saint-Cyr | 2010 | 271e9f4f42b41... | URL: http://dgi.gouv.ht; slug is "2010" | **Critical finding:** Two user accounts expose personal Gmail addresses as display names. The developer (Jodelin Desrameaux) links to his personal site inno100.tech. ### www.brh.ht (Central Bank) -- 1+ users | ID | Display Name | Slug (Username) | Gravatar Hash | Notes | |----|-------------|-----------------|---------------|-------| | 6 | Amos Sejour | asejour | 8ba065897a932... | | **Plugins detected:** Yoast SEO, Jetpack --- ## Hosting Infrastructure Summary | Hosting Provider | Domains | |-----------------|---------| | **Bluehost (shared)** | primature.gouv.ht, communication.gouv.ht, mae.gouv.ht, www.brh.ht | | **Hostinger (hPanel)** | md.gouv.ht, dgi.gouv.ht | | **Self-hosted Windows** | douane.gouv.ht (Apache Win64) | | **Custom/VPS** | mef.gouv.ht (openresty), mspp.gouv.ht (Apache), conatel.gouv.ht (Apache), mict.gouv.ht (Apache), oni.gouv.ht (WAF), menfp.gouv.ht (nginx+Express) | | **Offline/No DNS** | pnh.ht, sydonia.douane.gouv.ht, goaml.ucref.gouv.ht | | **Unreachable** | edeclaration.dgi.gouv.ht (IP 200.4.169.180 -- timeout) | --- ## CMS Distribution | CMS | Count | Domains | |-----|-------|---------| | **WordPress** | 8 | primature, communication, md, mict (broken), mae, dgi, douane, brh | | **Drupal 10** | 1 | mspp.gouv.ht | | **Drupal 7** | 1 | conatel.gouv.ht | | **Angular (custom)** | 1 | menfp.gouv.ht | | **Unknown (WAF)** | 2 | mef.gouv.ht, oni.gouv.ht | | **Offline** | 4 | pnh.ht, sydonia, goaml, edeclaration | --- ## Critical Findings & Risk Assessment ### HIGH RISK 1. **dgi.gouv.ht -- WP API user enumeration with email exposure** - Admin account display name is literally `louicent19@gmail.com` - Second account exposes `saintfequel@gmail.com` - Developer's personal site (inno100.tech) linked from user profile - Combined with exposed usernames, enables targeted brute-force or phishing 2. **primature.gouv.ht -- WP API user enumeration (PM Office)** - 4 usernames exposed including `wilfrid_lo` (admin ID 1) - Hosted on shared Bluehost -- lateral risk from shared hosting neighbors - GiveWP donation plugin installed (payment processing attack surface) 3. **md.gouv.ht -- WP API user enumeration (Defense Ministry)** - Admin slug is `admindev` -- suggests dev/admin account left in production - Hosted on Hostinger shared hosting (budget hosting for a defense ministry) - PHP version exposed in headers (8.2.28) 4. **conatel.gouv.ht -- PHP 7.0.33 (EOL since Dec 2018) + Drupal 7** - PHP 7.0 has been end-of-life for 7+ years -- no security patches - Drupal 7 is end-of-life (Jan 2025) -- no security patches - Known CVEs: Drupalgeddon-style RCE if unpatched - CHANGELOG.txt blocked in robots.txt but may still be accessible 5. **mict.gouv.ht -- HTTP 500 (broken site)** - Previously had web.config credential exposure (already documented) - Site now returning 500 Internal Server Error -- may indicate compromise or misconfiguration 6. **douane.gouv.ht -- Windows Server self-hosted** - Running Apache/2.4.62 on Windows (Win64) with OpenSSL/3.1.7 and PHP/8.3.14 - Self-hosted customs authority on Windows -- unusual and potentially under-maintained - Full server version string exposed in headers ### MEDIUM RISK 7. **www.brh.ht -- robots.txt path leak** - robots.txt exposes hidden path: `/utilities/xyz/1029384756/PressConference/` - This appears to be an obscured utility path worth investigating - WP user enumeration partially open 8. **mef.gouv.ht -- openresty 1.27.1.1 reverse proxy** - Returns 415 on all requests -- may be misconfigured or filtering aggressively - Full openresty version exposed - Backend technology unknown 9. **oni.gouv.ht -- Custom WAF with HTTP 468** - Non-standard HTTP status code 468 (not in RFC) - Custom "Access Denied" page with request_id tracking - Indicates custom security layer -- potentially interesting if bypass found 10. **menfp.gouv.ht -- Angular SPA on Express/nginx** - X-Powered-By: Express not stripped - Self-signed or expired TLS certificate - Google Analytics tracking ID: UA-168251399-1 - Developer name in HTML meta: "John Peter THOMAS" ### OFFLINE (Monitor for return) 11. **pnh.ht** -- National Police domain has no DNS record 12. **sydonia.douane.gouv.ht** -- SYDONIA customs system no DNS (likely internal-only) 13. **goaml.ucref.gouv.ht** -- Anti-money laundering system no DNS (likely internal-only) 14. **edeclaration.dgi.gouv.ht** -- Resolves to 200.4.169.180 but connection refused/timeout --- ## Next Steps 1. **Immediate:** Dump full WP API data from primature, md, dgi (posts, pages, media, plugins) 2. **Immediate:** Investigate brh.ht path `/utilities/xyz/1029384756/PressConference/` 3. **Priority:** Check conatel.gouv.ht for Drupal CHANGELOG.txt, INSTALL.txt, UPDATE.txt 4. **Priority:** Probe douane.gouv.ht Windows server for common Windows misconfigs (web.config, IIS artifacts) 5. **Priority:** Try WP login brute-force paths (xmlrpc.php) on exposed WP sites 6. **Monitor:** Re-check mict.gouv.ht for recovery from 500 error 7. **Monitor:** Watch pnh.ht, sydonia, goaml, edeclaration for DNS/connectivity changes 8. **Research:** Gravatar hashes can be reversed to find associated email addresses 9. **Research:** inno100.tech (dgi.gouv.ht developer's site) for additional intel