# SANA.SY (Syrian Arab News Agency) — Intelligence Report

> Syrian state news agency, Iran/Russia-aligned Assad-era media
> Probed Feb 28, 2026 from clearnet

## Technical Profile

| Property | Value |
|----------|-------|
| CMS | WordPress 6.9 |
| SEO Plugin | Rank Math PRO |
| Server | Not disclosed (LiteSpeed likely) |
| CDN | cdn.sananews.sy (custom domain) |
| REST API | **Fully disabled** (401 on all endpoints) |
| wp-login.php | **Blocked** (403) |
| XML-RPC | **Active** (accepts POST only) |
| Directory listing | Disabled (empty 200) |
| wp-cron.php | Accessible (runs silently) |

## Security Posture

| Vector | Status |
|--------|--------|
| WP REST API | BLOCKED (401: "The REST API is not available") |
| wp-login.php | BLOCKED (403 at server level) |
| XML-RPC | **OPEN** (accepts POST — potential brute-force vector) |
| debug.log | Not exposed |
| readme.html | **Exposed** (WordPress version confirmation) |
| wp-content/plugins/ | Directory listing disabled (empty 200) |
| wp-content/themes/ | Directory listing disabled (empty 200) |

## Social Media Accounts (from structured data)

| Platform | URL |
|----------|-----|
| Facebook | https://www.facebook.com/sana.gov/ |
| Twitter/X | https://x.com/Sana__gov (@Sana__gov) |
| YouTube | https://www.youtube.com/syrianarabnewsagency-sana |
| Instagram | https://www.instagram.com/sana__gov/ |
| Telegram | https://t.me/sana_gov |
| WhatsApp | https://whatsapp.com/channel/0029Vb5QI6jIyPtUjKcQQz3O |

## Sitemap Index (73 sitemaps!)

The sitemap index at `https://sana.sy/sitemap_index.xml` (8,979 bytes) reveals:

| Type | Count | Description |
|------|-------|-------------|
| post-sitemap | 40 | Every article URL enumerable |
| page-sitemap | 1 | Static pages |
| category-sitemap | 1 | Content categories |
| post_tag-sitemap | 27 | All tags |
| news-sitemap | 1 | Google News sitemap (139 KB) |
| video-sitemap | 1 | Video content (729 KB!) |
| local-sitemap | 1 | Local content |
| rb-etemplate-sitemap | 1 | Template sitemap |

**The 40 post sitemaps + news + video sitemaps enumerate the ENTIRE content history of SANA.SY.**

## RSS Feed (Active)

The RSS feed at `/feed/` returns valid XML with:
- Full article content (Arabic)
- Author names (e.g., "Zeina Alsaadi")
- Publication dates
- Categories and tags
- WordPress 6.9 generator tag

## Data Dumped

| File | Size | Contents |
|------|------|----------|
| sana-sy-readme.html | 7.4 KB | WordPress readme (version confirmation) |
| sana-sy-robots.txt | 301 B | Rank Math SEO robots, sitemap location |
| sana-sy-feed.xml | 29.6 KB | Full RSS feed with articles |
| sana-sy-sitemap-index.xml | 8.9 KB | Master sitemap index (73 sitemaps) |
| sana-sy-post-sitemap1.xml | 237 KB | First post sitemap (thousands of URLs) |
| sana-sy-news-sitemap.xml | 139 KB | Google News sitemap |
| sana-sy-video-sitemap.xml | 729 KB | Video content sitemap |
| sana-sy-xmlrpc.txt | 42 B | XML-RPC active confirmation |
| sana-sy-login.html | 239 B | 403 on wp-login |
| sana-sy-plugins-dir.html | 0 B | Empty (listing disabled) |
| sana-sy-themes-dir.html | 0 B | Empty (listing disabled) |

**Total: ~1.15 MB**

## CRITICAL: Webmail Exposed (webmail.sana.sy)

### Roundcube Webmail on Plesk Premium Email / Kolab
```
URL:               https://webmail.sana.sy/
Platform:          Roundcube (rcube_webmail)
Hosting:           Plesk Premium Email, powered by Kolab
RC Version:        10612
Cookie Domain:     webmail.sana.sy
Cookie Secure:     true
Session Lifetime:  10800 seconds (3 hours)
CSRF Token:        lT6lwnmtg57m2Qm571yirCZFGLD68n1P
Login Form:        POST /?_task=login with _user, _pass, _token, _timezone
```

- Full webmail login page publicly accessible
- Admin can login with SANA email credentials
- Plesk Premium Email suggests hosted email infrastructure
- Kolab is an open-source groupware suite (email, calendar, contacts)
- Roundcube has known CVEs in older versions — version 10612 needs mapping

---

## Key Observations

1. **WordPress 6.9 is very recent** — site is actively maintained
2. **REST API fully disabled** — unusual for WP, shows security awareness
3. **XML-RPC is the remaining attack surface** — accepts POST, could enumerate methods
4. **73 sitemaps** provide complete content enumeration without API access
5. **CDN on separate domain** (cdn.sananews.sy) — may have different security controls
6. **Rank Math PRO** — paid SEO plugin, shows investment in site
7. **Webmail LIVE** — Roundcube/Plesk/Kolab at webmail.sana.sy

---

*Collected: Feb 28, 2026 — Updated with webmail discovery*