Security Assessment Report

This security assessment was conducted on www.algerietelecom.dz to identify potential vulnerabilities and security issues. The assessment included reconnaissance, port scanning, technology identification, vulnerability assessment, directory enumeration, and checking for leaked credentials.

The following critical security issues were identified:

• Outdated PHP version (5.6.40) which reached end-of-life in January 2019
• Overly permissive Content Security Policy (default-src * 'unsafe-inline')
• Several server paths returning 500 errors, potentially indicating misconfigurations
• Previous cyber attack reported in 2017

• IP Address: 197.112.57.26
• Web Server: Apache
• Programming Language: PHP 5.6.40 (End of Life: January 2019)
• Framework: Evidence of CodeIgniter (detected through ci_session cookies)
• Open Ports: 80 (HTTP) and 443 (HTTPS)
• SSL Certificate: Valid until May 15, 2025, issued by Sectigo RSA

Header	Value	Status
Content Security Policy	'default-src * unsafe-inline'	VULNERABLE - This policy is too permissive and allows inline scripts from any source
X-XSS-Protection	1; mode=block	GOOD - Browser's XSS protection is enabled
X-Content-Type-Options	nosniff	GOOD - Prevents MIME type sniffing
X-Frame-Options	SAMEORIGIN	GOOD - Prevents clickjacking attacks

Several paths returned 500 server errors, which could indicate misconfigurations or potential security issues:

• /admin (500 error)
• /wp-admin (500 error)
• /phpmyadmin (500 error)
• /backup (500 error)
• /.htaccess (500 error)
• /backup~ (500 error)

• A cyber attack on Algerie Telecom was reported on November 21, 2017
• The company reported they were able to repel the attack and security services managed to identify and arrest the attackers
• No specific details about the attack methods or motivations were disclosed

• No specific credentials or sensitive data for algerietelecom.dz were found in public repositories
• The outdated PHP version (5.6.40) increases risk of information leakage through known vulnerabilities
• 500 error responses during directory scanning could potentially leak system information

1. Upgrade PHP Version

   Immediately upgrade from PHP 5.6.40 to a supported version (PHP 8.x recommended). PHP 5.6 reached end-of-life in January 2019 and has numerous known vulnerabilities.

2. Strengthen Content Security Policy

   Implement a more restrictive Content Security Policy that follows the principle of least privilege. Avoid using 'unsafe-inline' and wildcard (*) source directives.

3. Fix Server Errors

   Investigate and resolve the 500 errors occurring on multiple paths to prevent potential information leakage and improve reliability.

4. Update Framework

   If using CodeIgniter, ensure it is updated to the latest version to address any known security vulnerabilities.

5. Implement Regular Security Assessments

   Conduct regular security assessments to identify and address vulnerabilities promptly.

6. Enhance Error Handling

   Implement custom error pages to prevent leakage of system information through error messages.

7. Implement Web Application Firewall

   Consider implementing a WAF to provide an additional layer of protection against common web attacks.

The security assessment of www.algerietelecom.dz has identified several security issues that require attention. The most critical issue is the outdated PHP version, which poses a significant security risk. By implementing the recommendations provided in this report, the security posture of the website can be significantly improved.

This security assessment was conducted ethically and non-intrusively, focusing on identifying potential vulnerabilities without exploiting them or causing any harm to the systems.