OBSERVATION: Sensitive and administrative pages are not restricted to specific users & IP

addresses

AIC High Hacker System(s)

• https://chengtedzai.co.zw/wp-login.php

• https://chengetedzai.co.zw/wp-load.php

• https://chengetedzai.co.zw/wp-links-opml.php

• https://chengetedzai.co.zw/wp-cron.php

• Etc. Description

Access to confidential and administrative pages is publicly exposed.

RISK
 An attacker can access critical functionalities, or conduct brute-force attacks,
authentication bypass, which might give him unauthorized administrative access
disclosing/modifying confidential data.

RECOMMENDATIONS
 All access to sensitive pages should have an access list with restriction to specific
users & IP addresses.
 All server files (.php, .txt, .rules, .htaccsess etc.) should be unreachable from the web
at the exception of js, css, png, jpeg, ico and other client side files and scripts.

OBSERVATION: Shared website hosting

AIC High Hacker System (s)
• (95.111.227.164) chengetedzai.co.zw

• (197.211.212.152) chengetedzai.com Description

The official website is hosted on a shared server with several other web application

RISKS
 If any site on the server was compromised, it might ease at-tackers’ access over the
sites hosted on the same server including CDC website.
 A malicious customer can purchase the same plan from a shared hosting provider
and use his site to gain access to other sites on the server.
 Hardening of the server and access to the configuration files cannot be controlled by
CDC.

RECOMMENDATION
 Host the official website on a virtual private server.
OBSERVATION: Vulnerable PHP version

AIC High Hacker System(s)

https://chengetedzai.co.zw Description

According to its banner, the PHP mentioned running on the remote hosts are affected by
the numerous vulnerabilities mainly related to remote code execution, DoS, XSS etc.

RISK
 The current installed version is affected by several vulnerabilities such as denial of
service, cross-site request forgery, XSS etc.

RECOMMENDATION
 As per the vendor advisory, upgrade the relevant PHP to its latest stable version
(8.1.4 on the 27th of March 2022).

OBSERVATION: Lack of Brute-force Protection

AC High Technical System(s)

https://chengetedzai.co.zw

• Client Portal:
o POST /client-portal/login
o POST /client-portal/register
o POST /client-portal/forgot
• Contact form
o POST /wp-json/contact-form-7/v1/contact-forms/5/feedback
• Request form

o POST /wp-json/contact-form-7/v1/contact-forms/3000/feedback Description

The above requests/forms do not have a brute-force protection mechanism.

RISKS
 A malicious attacker can launch a brute force attack on the mentioned functionalities
leading to:

- Useless server storage

- Denial Of Service

- Crack login credentials

RECOMMENDATION
 Implement anti brute-force mechanism such as CAPTCHA and/or limit the number of
requests being sent.
OBSERVATION: User Enumeration

AC High Technical System(s)

Functionalities:

• WordPress:

o Login Page: https://chengetedzai.co.zw/wp-login.php

o Forgot Password: https://chengetedzai.co.zw/wp-login.php?action=lostpassword

• Client Portal:

o Forgot Password: https://chengetedzai.co.zw/client-portal/forgot Description

This vulnerability exposes users of the application without being blocked. The response of
the server proves the existence of the user or not.

RISKS
 A malicious unauthenticated attacker can identify user accounts without being
blocked, by enumerating all possible users. This attack is possible by launching a
brute force attack on the mentioned functionalities and enumerate all possible
users.

RECOMMENDATIONS
 Unify the server response errors on each mentioned functionality.

OBSERVATION: Web Form allows caching on the client side

IC Medium User System(s)

• https://chengetedzai.co.zw/wp-login.php

• https://chengetedzai.co.zw/wp-login.php?action=lostpassword Description

When a parameter is entered in a form and the form is submitted, the browser saves it.
Thereafter when the form is displayed, the field is filled in automatically.

RISKS
 An attacker with local access could obtain the clear text username or other
parameters from the browser cache that can be combined with more techniques
and used in future attacks. (Such as brute force attack and denial of service of the
user in question).

RECOMMENDATIONS
  All parameters’ auto complete should be disabled. To disable autocomplete, you
may use a code similar to:
<INPUT TYPE="username" AUTOCOMPLETE="off">

OBSERVATION: Web Application susceptible to Man in the Middle Attack

C Medium Technical System(s)

https://chengetedzai.co.zw (95.111.227.164)

The web gateway traffic is not encrypted with a 2nd layer of encryption with no HSTS
enforced.

RISKS
 An attacker may be able to break the SSL encryption by man in the middle attack and
tamper with the data.

RECOMMENDATIONS
 Enforce HSTS and/or encrypt all traffic using 2nd layer encryption

OBSERVATION: Weak SSL Versions Protocol Detection and Weak SSL Block Size Cipher
suites

C Medium Hacker System(s)

• 197.211.212.152:443 (chengetedzai.com)

• 95.111.227.164:443 (chengetedzai.co.zw) Description

It was noted that the servers accept connection TLS v1.0 and TLS v1.1 with weak ciphers
(AES, CAMELLIA128) exposed to several known vulnerabilities. It is recommended to disable
these protocols and ciphers and use TLS v1.2 / TLS v1.3 instead with strong ciphers only.

RISKS
An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or
decrypt communications between the affected service and clients.

RECOMMENDATIONS
 Disable TLSv1.0, TLSv1.1 and restrict the usage TLS v1.2 instead.
 Disable AES, DES, RC4 cipher suites and use only high strength ciphers (combination
of AES and GCM).

OBSERVATION: ROBOTS.TXT
95.111.227.164 (chengetedzai.co.zw)
The robots.txt contains critical directories exposed publicly, as shown below:
https://chengetedzai.co.zw/robots.txt
Robots file asks Search Engine Robots and Spiders to crawl referenced links from the
website. It is important to note that if critical directories and paths are not accessible
neither referenced inside the website, there won’t be any need to include them inside this
file.

RECOMMENDATIONS
 Disallow all paths and whitelist needed paths.
 Robots.txt should be reviewed and fine-tuned in order to prevent any malicious user
from enumerating hidden pages.

OBSERVATION: Sensitive and Administrative Pages

Was able to enumerate administrative and sensitive login page used for website
administration. This page is publicly exposed which facilitates brute force attacks to gain
unauthorized administrative access as shown below:
4.8.1.1 95.111.227.164 (chengetedzai.co.zw)
SHELT was able to enumerate WordPress login page ash shown below:

https://chengetedzai.co.zw/wp-login.php
RECOMMENDATIONS
It is recommended to whitelist access to the administrative login page to authorized IPs
only.
Additionally, it is recommended to implement the following:
 Implement a dynamic second factor authentication.
 Implement HSTS and/or 2nd layer of encryption.
 Implement a rotating on screen virtual keyboard.
 Include account lockout for brute force protection.

OBSERVATION: WordPress Administrator Enumeration

Detected the exposure of sensitive directories on the WordPress web application as shown
below:

https://chengetedzai.co.zw/?rest_route=/wp/v2/

The screenshot below shows the administrator user of the WordPress Web application:
https://chengetedzai.co.zw.com/?rest_route=/wp/v2/users/

RISK
 An attacker can take advantage of the disclosed username to launch a brute force
attack on the login page and take full access (unauthorized) of the WordPress CMS.

RECOMMENDATIONS
 Hide/remove and forbid access to such directories and pages.

OBSERVATION: WordPress CMS version detection

disclosed the precise CMS version when accessing the following URL
“https://chengetedzai.co.zw/wp-links-opml.php”, as shown below:
Precise CMS version

RECOMMENDATIONS
 It is recommended to remove the metadata related to CMS from all pages and ban
access to core php files.
 Even though the WordPress is the latest stable one, it is recommended to keep the
version updated with the relevant patches.

OBSERVATION: 4.8.1.4 WordPress CMS version detection

Tried accessing WordPress core php files, as shown below:

https://chengetedzai.co.zw/wp-load.php
It is important to note that many php core files related to WordPress CMS are accessible.

RECOMMENDATIONS
 Restrict access to those files and/or when requested to redirect them to a non-
existing page.

OBSERVATION: 4.8.1.5 95.111.227.164 (Misc)

Viewed the admin login page for the Plesk portal of the shared hosting provider:
OBSERVATION: Lack of Brute-Force Protection
It was possible to conduct brute-force attacks on all the POST functionality forms, leading to
useless server storage and denial of service.
A sample is shown below:
 The Client Login portal (POST client-portal/login) does not contain brute force
protection (such as CAPTCHA), thus allowing malicious users to try unlimited number
of logins.
Client Login Page
Brute Force attack on register page

Similarly affected:
• • Client Portal:
 POST /client-portal/login
 POST /client-portal/forgot
• • Contact form:
 POST /wp-json/contact-form-7/v1/contact-forms/5/feedback
• • Request form:
 POST /wp-json/ json/contact-form-7/v1/contact-forms/5/feedback

RECOMMENDATIONS
 Implement anti brute-force mechanism, such as CAPTCHA, and/or limit the number
of requests being sent.

OBSERVATION: User Enumeration

SHELT proceeded by testing the web application and noticed that errors are not unified
upon the following functionalities.

4.10.1.1 Login Page:

Upon failed login, the error reveals that the user exists as shown below:

Failed login for invalid user

Failed login for valid user

Forgot Password: Upon accessing the “Forgot Password” functionality, the response reveals
that the user exists as shown below:
Response for invalid User

Response for Valid User

Client Portal
4.10.2.1 Forgot password
Upon accessing the “Forgot Password” functionality, the response reveals that the user
exists as shown below:

Response for invalid user

RECOMMENDATIONS
 It is recommended to unify server errors on each of the mentioned functionalities.

OBSERVATION: Software Versions

Use of obsolete Bootstrap version and vulnerable versions of jQuerry and jQuerry UI, as
shown below:

jQuery

jQuery UI

RECOMMENDATIONS
 It is recommended to upgrade the Bootstrap to its latest stable version.
 It is important to note that the jQuery and jQuery UI are patched. However, it is
recommended to keep the software updated and patched.

OBSERVATION: Browser Caching

Definition: Browser caching is the process of caching data inserted in forms in the browser
cache. Such process can cause information leakage on shared computers.
For this matter, SHELT tested all fields and noted that some of them are being stored.
A sample is shown below:
Client Portal
Register Page: CSD number

Forgot Password Page: CSD Number

WordPress
WordPress login page

WordPress Forgot Password

RECOMMENDATION
 As best practice, it is recommended to disable autocomplete option on all fields