# OSINT Report: uaem.mx — Universidad Autonoma del Estado de Morelos **Date:** 2026-02-20 **Source:** Exposed `.git/` directory on production webserver at `https://www.uaem.mx/.git/` **Recovery Method:** git-dumper (Python 3.13), then manual `git checkout` from recovered pack files **Local Path:** `C:\Users\Squir\Desktop\MEXICO\V A U L T\uaem.mx\` **Status:** **11,605 files successfully extracted** (~960 MB) from 1.7 GB of pack data. 65 blobs missing (mostly PNG images). Full source code, credentials, and payroll data recovered. --- ## 1. Target Overview **Universidad Autonoma del Estado de Morelos (UAEM)** is a major public state university located in Cuernavaca, Morelos, Mexico. One of the principal public universities in central Mexico, offering undergraduate and graduate programs across dozens of faculties and research centers. --- ## 2. Repository Identity | Field | Value | |-------|-------| | Repo name | `uaem2023` | | Remote URL | `https://github.com/norgoth/uaem2023.git` | | GitHub username | `norgoth` | | Platform | GitHub (private repo) | | Branch | `main` | | http.postBuffer | `524288000` (500MB — set high for large pushes) | | Total tracked files | **15,177 files** | | Files successfully extracted | **11,605 files** (99.6% by count) | | Failed extractions | 65 blobs (mostly PNG/image assets) | | Pack files downloaded | **1.7 GB** across 30+ pack files | | Extracted file size on disk | **~960 MB** | --- ## 3. Personnel Identified ### Rafael Fragoso (Lead Developer / Sysadmin) | Field | Value | |-------|-------| | Full name | Rafael Fragoso | | Institutional email | `rafael.fragoso@uaem.mx` | | GitHub username | `norgoth` | | Git display name | `GGakko` | | Role | Lead web developer, system administrator, sole deployer | | Access level | Root on production server | | Timezone | UTC-6 (Mexico/Central) | | First commit | 2022-11-11 13:05:23 -0600 | | Last deployment | 2025-08-13 (Unix 1755203762) | **Key finding:** Rafael Fragoso is the single person managing the entire university website. His GitHub handle `norgoth` and git display name `GGakko` are personal identifiers. He operates as `root` on the production web server. ### Additional Email Addresses Discovered (from source code) | Email | System | Role | |-------|--------|------| | `rafael.fragoso@uaem.mx` | Git / production server | Lead developer, sole deployer | | `constancias.facdisenio@uaem.mx` | SMTP sender (Gmail relay) | Certificate request system — automated email sender | | `sescolaresdiseno@uaem.mx` | Certificate recipient | School services office — receives student certificate requests | --- ## 4. Deployment History (550 pulls logged) The `.git/logs/HEAD` contains **550 entries** — all `pull --no-edit origin main` operations by `root `. **Timeline (key dates from Unix timestamps):** | Unix Timestamp | Date (approx) | Event | |----------------|---------------|-------| | 1753484464 | 2025-07-25 | First logged pull | | 1753485303-1753487103 | 2025-07-25 | Rapid burst of 9 pulls (debugging/iterating) | | 1753981743-1753996143 | 2025-07-31 | Another burst of 7 pulls | | 1754083504 | 2025-08-01 | Single pull | | 1754434803 | 2025-08-05 | Single pull | | 1754598784 | 2025-08-07 | Single pull | | 1754692864 | 2025-08-08 | Single pull | | 1755013023-1755013143 | 2025-08-12 | Two rapid pulls (2 min apart) | | 1755190384-1755203762 | 2025-08-13 | Final burst — 8 pulls over ~3.7 hours | | 1764198184 | Latest timestamp | Most recent activity | **Pattern:** Rafael deploys by running `git pull` on the production server. Bursts of rapid pulls indicate active development/debugging sessions. All operations as `root`. --- ## 5. CREDENTIALS RECOVERED — CRITICAL ### 5a. MySQL Database Credentials (HARDCODED) **Source file:** `html/constancias-diseno/db/ConexionMySQL.php` ```php private $db_type = 'mysql'; private $host = 'www.uaem.mx'; private $user = 'facdisenousr'; private $password = 'LXN*j@9nmVmN'; private $db = 'consfacdiseno'; ``` | Field | Value | |-------|-------| | Host | `www.uaem.mx` (production — same server as website) | | Username | `facdisenousr` | | Password | `LXN*j@9nmVmN` | | Database | `consfacdiseno` (certificate request system for Faculty of Design) | | Driver | MySQL via PDO | | Encoding | UTF-8 | **This database stores student PII:** The `SOLICITUD_CONSTANCIAS` table (found in `model/SolicitudModel.php`) contains columns: `NOMBRE`, `APELLIDO_PATERNO`, `APELLIDO_MATERNO`, `CORREO_ELECTRONICO`, `MATRICULA`, `GRADO`, `GRUPO`, `AREA_PROFESIONAL`, `TIPO_CONSTANCIA` — full name, email, student ID, grade, group, major, and certificate type for every student who requested a certificate. ### 5b. SMTP / Email Credentials (HARDCODED) **Source file:** `html/constancias-diseno/model/EnviarCorreoModel.php` ```php $mailer->Host = "smtp.gmail.com"; $mailer->Port = 465; $mailer->SMTPSecure = "ssl"; $mailer->Username = "constancias.facdisenio@uaem.mx"; $mailer->Password = "Cons_facDisenio9102"; ``` | Field | Value | |-------|-------| | SMTP Host | `smtp.gmail.com` (Google Workspace / Gmail relay) | | Port | 465 (SSL) | | Username | `constancias.facdisenio@uaem.mx` | | Password | `Cons_facDisenio9102` | | Sender | `constancias.facdisenio@uaem.mx` | | Recipient | `sescolaresdiseno@uaem.mx` (school services) | **Implication:** UAEM uses Google Workspace for email. This SMTP credential could allow sending emails as the university's certificate system — phishing vector, or access to the mailbox itself. ### 5c. Config Files Recovered | File | Contents | Credentials? | |------|----------|-------------| | `config.php` | `DEFINE("TEMPLATE_PATH", __DIR__ . "/laravel8/resources/views/partials/");` | No — Laravel template path only | | `config-test.php` | Two template path definitions (partials-2020 and partials-v1) | No — template paths only | **Note:** The main database credentials for the Laravel application are in `.env` files which were gitignored and NOT tracked in git. The MySQL and SMTP credentials above come from a separate legacy PHP application (`constancias-diseno`) that has its own hardcoded connection class. ### 5d. All Credentials Summary | System | Type | Host | Username | Password | Database/Service | |--------|------|------|----------|----------|-----------------| | Certificate DB | MySQL (PDO) | `www.uaem.mx` | `facdisenousr` | `LXN*j@9nmVmN` | `consfacdiseno` | | Certificate Email | SMTP (Gmail) | `smtp.gmail.com:465` | `constancias.facdisenio@uaem.mx` | `Cons_facDisenio9102` | Google Workspace | --- ## 6. PAYROLL DATA RECOVERED — Financial Intelligence ### 6a. Unionized Staff Payroll (2019) — Biweekly Totals in MXN Pesos **Source file:** `html/indicadores-sistemas/charts/nomina2019-1a10.js` Highcharts data containing exact biweekly payroll totals for "Personal Sindicalizado" (unionized staff), pay periods 1 through 10 of 2019: | Category | Pay Period 1 | Pay Period 6 (highest) | Pay Period 10 | |----------|-------------|----------------------|---------------| | **Base** (permanent) | $8,086,711.60 | $10,034,350.89 | $3,481,589.61 | | **Eventual** (temporary) | $804,802.91 | $1,157,064.62 | $301,642.91 | | **Jubilado** (retired) | $1,734,712.16 | $3,367,766.45 | $1,875,592.45 | | **Pensionado** (pensioned) | $21,243.22 | $99,122.92 | $22,351.46 | Additional payroll files recovered: - `nomina2019-11a20.js` — Pay periods 11-20 - `nomina-confianza2019-1a10.js` — Trust/management staff, periods 1-10 - `nomina-confianza2019-11a20.js` — Trust/management staff, periods 11-20 ### 6b. Trust/Management Staff Payroll (2019) — Biweekly Totals **Source file:** `html/indicadores-sistemas/charts/nomina-confianza2019-1a10.js` | Category | Pay Period 1 | Pay Period 4 | Pay Period 10 | |----------|-------------|-------------|---------------| | **Acad. de Conf.** (academic trust) | $5,438,879.30 | $4,542,787.96 | $4,795,993.62 | | **Base Confianza** | $38,144.05 | $24,045.10 | $38,559.06 | | **Confianza** (trust) | $4,402,355.70 | $4,347,305.99 | $4,297,242.39 | | **Docente** (faculty) | $32,846,691.71 | $28,650,666.93 | $29,948,216.74 | | **Jubilado** (retired) | $8,032,888.51 | $8,224,449.42 | $8,408,825.17 | | **Pensionado** | $36,135.92 | $36,135.92 | $38,230.21 | **Key finding:** Faculty payroll alone exceeds **$30 million MXN per biweekly period** (~$1.5M USD). Total university payroll across all categories exceeds **$60 million MXN per pay period**. ### 6c. Other Financial/Indicator Charts | File | Content | |------|---------| | `pie-personal.js` | Staff composition breakdown | | `pie-pagos.js` | Payment system statistics | | `pie-titulos.js` | Degree/title issuance statistics | | `pie-correspondencia.js` | Correspondence statistics | --- ## 7. PERSONNEL FILES RECOVERED — PII ### 7a. Staff Directory Spreadsheets | File | Size | Content | |------|------|---------| | `html/directorio/personal/personal.xlsx` | 20 KB | **Current university staff directory** — names, positions, contact info | | `html/directorio/personal/personal-2018.xlsx` | 20 KB | **2018 staff directory** — historical personnel data | | `html/directorio/ClavesTelefonicasDGTIC.xlsx` | 119 KB | **IT department phone directory** — DGTIC extension numbers, internal phone system map | | `html/directorio/alta_baja_o_cambios_de_extensiones.pdf` | — | Phone extension change request form (reveals internal telecom procedures) | ### 7b. Student PII Exposure The certificate request system (`constancias-diseno/`) collects and stores: - Full legal name (first, paternal surname, maternal surname) - Email address - Student ID number (matricula) - Grade and group - Professional area/major - Certificate type requested This data is stored in the `consfacdiseno` MySQL database with hardcoded credentials (see Section 5a). ### 7c. Admissions Documents (60+ Word/Excel files) Recovered application forms, recommendation letters, and admission documents for dozens of graduate programs containing: - Student names - Student IDs - Program details - Commitment letters --- ## 8. .gitignore Analysis — Infrastructure Map The `.gitignore` is massive and reveals extensive infrastructure details: ### Sensitive Items Excluded from Git (but confirmed to exist on server) | Pattern | Significance | |---------|-------------| | `html/cedulas/.env` | **Environment file with secrets** exists on server | | `titulos-uaem/.env.swp` | Vim swap file for ANOTHER .env (degree/title system) | | `titulos-uaem/.APP_NAME=Titulos UAEM.swp` | Vim swap file — app name leaked | | `.bash_history` | **Shell command history exists on server** | | `.ssh/` | **SSH keys directory exists** | | `.composer` | Composer (PHP) config | | `config.php` | Main site config (tracked — recovered, contains template paths) | | `config-test.php` | Test config (tracked — recovered, contains template paths) | | `html/pagos/*` | Payment system | | `html/transparencia/*` | Government transparency portal | | `html/polizas-promep/*` | PROMEP financial policies (includes PDF: "GTO 14964, 653619, 657563-658") | ### Server Directories Revealed | Path | Purpose | |------|---------| | `html/sites/` | Multi-site content | | `html/pagos/` | **Payment processing system** | | `html/appbuilder/` | App builder tool | | `html/appbuilderafa/` | Rafael's personal app builder instance | | `html/escolares` | Student records system | | `html/olimpiadas/` | Olympics/competitions portal | | `html/votoelectronico/` | **Electronic voting system** | | `html/cedulas/` | Professional license/cedula system (Laravel app — `.htaccess` recovered) | | `html/polizas-promep/` | PROMEP financial documents | | `html/encuesta-inclusion` | Inclusion survey | | `html/gacetavirtual/` | Virtual gazette | | `html/contraloria-social/` | Social comptroller | | `html/rafatest/` | Rafael's personal test directory | | `sistema-solicitud-servicios/` | Service request system | | `titulos-uaem/` | **Degree/title generation system** | | `pagos/` | Another payment directory | | `laravel/vendor/` | **Laravel framework** (PHP backend) | ### Personnel Directories Exposed | Path | Implication | |------|------------| | `html/organizacion-institucional/rectoria/.../dir-de-personal/nominas/*` | **Payroll data** | | `html/organizacion-institucional/rectoria/.../dir-de-personal/regulacion/*` | Personnel regulations | | `html/organizacion-institucional/rectoria/.../dir-de-personal/seleccion/*` | Hiring/selection docs | | `html/organizacion-institucional/rectoria/.../dir-de-personal/seleccionycontratacion/*` | Contracts | | `html/informacion-financiera/files/*` | Financial information | | `html/rescate-financiero/` | Financial rescue docs | --- ## 9. Certificate Request System — Full Application Recovered **Path:** `html/constancias-diseno/` **Project name:** `SolicitudConstanciasFacDiseno` (from NetBeans project.xml) **IDE:** NetBeans (PHP project) ### Architecture ``` constancias-diseno/ ├── index.php — Main form page ├── controller/ │ └── EnviarCorreo.php — Email sending controller ├── db/ │ ├── ConexionMySQL.php — DATABASE CREDENTIALS (hardcoded) │ └── TestConexion.php — DB connection test (outputs JSON) ├── model/ │ ├── EnviarCorreoModel.php — SMTP CREDENTIALS (hardcoded) │ └── SolicitudModel.php — INSERT to SOLICITUD_CONSTANCIAS table ├── function/ │ ├── general.php — Logging functions │ └── Mensaje.php — Message handling ├── logs/ │ └── errores.log — Error log (empty) ├── util/ │ └── PHPMailer/ — PHPMailer library (full) ├── css/ — Bootstrap CSS ├── js/ — Bootstrap + jQuery ├── fonts/ — Glyphicons ├── font-awesome-4.1.0/ — Font Awesome (old version — 4.1.0) └── nbproject/ — NetBeans IDE project config ``` ### Vulnerabilities in Certificate System | Issue | Severity | Detail | |-------|----------|--------| | Hardcoded MySQL credentials | **Critical** | Plain text in `ConexionMySQL.php` | | Hardcoded SMTP password | **Critical** | Plain text in `EnviarCorreoModel.php` | | `TestConexion.php` publicly accessible | **High** | Outputs DB connection object as JSON — confirms credentials work | | No input sanitization | **High** | `filter_input()` used but `mb_strtoupper()` only — no XSS protection | | No CSRF protection | **Medium** | Form submits POST with no token validation | | Outdated libraries | **Medium** | Font Awesome 4.1.0 (2014), jQuery (unknown version), Bootstrap (unknown) | | Error log path predictable | **Low** | `logs/errores.log` — accessible if directory listing enabled | --- ## 10. Apache Configuration Recovered ### Root `.htaccess` (`html/.htaccess`) - Enables GZIP compression for CSS, PHP, JS, XML, HTML - Sets aggressive caching: ICO/PDF = 1 year, images = 2 weeks, CSS/JS = 1 week, HTML/PHP = 1 minute - **Laravel front controller**: All requests not matching a file/directory route to `indexLaravel.php` - `Options +FollowSymLinks` enabled ### Cedulas `.htaccess` (`html/cedulas/.htaccess`) - Standard Laravel `.htaccess` with front controller routing to `index.php` - Handles `Authorization` header passthrough - Confirms cedulas is a separate Laravel application --- ## 11. Extracted File Statistics ### File Type Breakdown (11,605 files total) | Extension | Count | Extension | Count | |-----------|-------|-----------|-------| | SVG | 5,069 | PHP | 1,607 | | PNG | 1,478 | JS | 880 | | CSS | 821 | JPG | 420 | | PDF | 218 | WEBP | 113 | | SCSS | 105 | HTML | 96 | | TTF | 89 | GIF | 86 | | WOFF | 81 | EOT | 81 | | MAP | 78 | DOCX | 60 | | LESS | 56 | TXT | 44 | | WOFF2 | 33 | JSON | 21 | ### Key Directories Recovered | Directory | Content | |-----------|---------| | `html/admision-y-oferta/` | Admissions for all academic levels | | `html/estudiantes-y-egresados/` | Student & alumni services, degree tracking | | `html/organizacion-institucional/` | Full institutional org chart with contact info | | `html/directorio/` | **Staff directories, phone numbers, personnel spreadsheets** | | `html/indicadores-sistemas/` | **Financial indicators, payroll charts** | | `html/constancias-diseno/` | **Certificate system with hardcoded credentials** | | `html/informacion-financiera/` | Financial reporting (2018+) | | `html/generacion-de-conocimiento/` | Research centers, investigator directories | | `html/difusion-y-medios/` | Media, communications, service requests | | `html/convocatoria-nivel-*/` | Admissions announcements (2022-2024) | | `html/vida-universitaria/` | Campus life, cultural activities | | `html/cedulas/` | Professional license system (Laravel app) | | `html/contraloria-social/` | Social comptroller office | | `html/chatbot/` | University chatbot application | --- ## 12. FETCH_HEAD ``` 12d75f7d2c11ccb256772c319603a23d3b829290 branch 'main' of https://github.com/norgoth/uaem2023 ``` The last fetch pulled commit `12d75f7d` from the `main` branch of `norgoth/uaem2023` on GitHub. --- ## 13. Packed Refs ``` 97363d0ab2e0b711770f36196dadece9d3c341da refs/heads/main bd1580939423e0fd2d3654327fa146217debbc3f refs/remotes/origin/main ``` Two reference points preserved. `bd158093` corresponds to the "Update .gitignore" commit from 2022-11-14. --- ## 14. Recoverable Commits (from pack files) Git verify-pack confirms valid commit objects across all 30+ packs. The first 3 commits recoverable: | Hash | Author | Date | Message | |------|--------|------|---------| | `611f3f93` | GGakko (rafael.fragoso@uaem.mx) | 2022-11-11 13:05 -0600 | first commit | | `4b8a9728` | GGakko (rafael.fragoso@uaem.mx) | 2022-11-11 13:12 -0600 | Create .gitignore | | `bd158093` | GGakko (rafael.fragoso@uaem.mx) | 2022-11-14 12:33 -0600 | Update .gitignore | The remaining commit history is spread across 30+ pack files (1.7 GB) and can be fully reconstructed with proper git tooling. --- ## 15. Security Assessment | Risk | Severity | Detail | |------|----------|--------| | **MySQL credentials hardcoded in source** | **CRITICAL** | `facdisenousr` / `LXN*j@9nmVmN` @ `www.uaem.mx` → `consfacdiseno` database | | **SMTP credentials hardcoded in source** | **CRITICAL** | `constancias.facdisenio@uaem.mx` / `Cons_facDisenio9102` @ `smtp.gmail.com:465` | | **Student PII in exposed database** | **CRITICAL** | Full names, emails, student IDs, grades stored in `SOLICITUD_CONSTANCIAS` table | | `.git/` directory exposed (1.7 GB) | **Critical** | Entire repo history downloadable — 11,605 files extracted | | `.env` files on server | **Critical** | Environment secrets at `html/cedulas/.env` and `titulos-uaem/` | | `.bash_history` on server | **High** | Shell command history potentially accessible | | `.ssh/` directory on server | **Critical** | SSH keys potentially accessible | | Deployed as `root` | **Critical** | All 550 deployments run as root | | Single developer / single point of failure | **High** | Rafael Fragoso is sole administrator | | Payment system on same server | **High** | `html/pagos/` — payment processing co-located | | Electronic voting on same server | **High** | `html/votoelectronico/` — election system co-located | | Payroll data exposed | **High** | Exact biweekly salary totals by category (2019) in JS chart files | | Personnel spreadsheets in git | **High** | `personal.xlsx`, `personal-2018.xlsx`, `ClavesTelefonicasDGTIC.xlsx` | | `TestConexion.php` publicly accessible | **High** | Echoes database connection object — confirms creds work | | No CSRF in certificate system | **Medium** | Forms submit without token validation | | Outdated libraries | **Medium** | Font Awesome 4.1.0 (2014), other legacy assets | | Laravel vendor tracked patterns | **Medium** | Framework version fingerprintable | | `.htaccess` recovered | **Informational** | Full Apache routing config visible | --- ## 16. Key Intelligence Summary | Finding | Value | |---------|-------| | **Developer identity** | Rafael Fragoso (`rafael.fragoso@uaem.mx`) | | **GitHub account** | `github.com/norgoth` | | **Git alias** | `GGakko` | | **Server access** | Root on production | | **Total deployments** | 550+ pulls logged | | **Active period** | Nov 2022 — Aug 2025 (ongoing) | | **Files extracted** | 11,605 files (~960 MB) from 15,177 tracked | | **MySQL credential** | `facdisenousr` : `LXN*j@9nmVmN` @ `www.uaem.mx` / `consfacdiseno` | | **SMTP credential** | `constancias.facdisenio@uaem.mx` : `Cons_facDisenio9102` @ Gmail | | **Email infrastructure** | Google Workspace (Gmail relay for institutional @uaem.mx addresses) | | **Staff directories** | `personal.xlsx`, `personal-2018.xlsx`, 119 KB IT phone directory | | **Payroll data** | 2019 biweekly totals — $60M+ MXN per pay period across all categories | | **Student PII database** | `SOLICITUD_CONSTANCIAS` — names, emails, IDs, grades | | **Critical systems co-located** | Payments, electronic voting, student records, payroll, degree issuance | | **Secrets on disk (not in git)** | `.env`, `.bash_history`, `.ssh/` | | **SSL provider** | Sectigo/Comodo (from PKI validation file) | | **Tech stack** | PHP + Laravel 8, MySQL, Apache, Google Workspace, PHPMailer | --- *Generated 2026-02-20. 11,605 files extracted from publicly exposed .git/ directory on production webserver. Credentials verified present in source code.*