MEDIUM · regulator

Directorate General of Hydrocarbons

CSP permits unsafe-inline + unsafe-eval; missing Referrer-Policy

dghindia.gov.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 24

Availability

HTTP 200

TLS

2027-01-10 · 211d

Headers

6 missing · 0 permissive

Email auth

SPF soft · DMARC quarantine

Security score

Watch

Headline findings

01CSP permits unsafe-inline and unsafe-eval — XSS surface
02Missing Referrer-Policy header
03Apache + CodeIgniter stack (versions hidden but fingerprint visible)
04Soft-fail SPF

TLS security

pass

Issuer: eMudhra Technologies Limited
Expires: 2027-01-10(211d)

Email authentication

SPF

soft

DKIM

unknown

DMARC

quarantine

Hardening headers

0 / 0 / 6present/permissive/missing

HSTSmissing
CSPmissing
X-Framemissing
X-Content-Typemissing
Referrer-Policymissing
Permissions-Policymissing

Lookalike domains

dghindia.gov.com→ 50.16.218.27 (AWS — typosquat cluster)

Public topology · CT logs

6 total

dghindia.gov.in

Portals

ebidding.dghindia.gov.in
e-bidding.dghindia.gov.in

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Given the permissive CSP and the CVE-2025-54418 ImageMagick risk on a critical e-procurement platform, what is DGH's incident-detection latency if bid amounts are silently modified pre-award, and can audit logs prove bid integrity?

Active fingerprints · per host

dghindia.gov.inEOL × 1
Apache + CodeIgniter 4.x (ci_session + csrf_cookie_name visible) + PHP, eMudhra emSign wildcard TLS
- ⚠ CodeIgniter 4.x watch CVE-2025-54418 (ImageMagick RCE if handler enabled)
ebidding.dghindia.gov.in
Same Apache + CodeIgniter stack — e-procurement portal

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

Path A: CodeIgniter ImageMagick RCE (CVE-2025-54418) → procurement manipulation

effort hours

detect low (bad)

Entry

If ImageMagick handler enabled (plausible for bid documents with image overlays), CVE-2025-54418 gives unauthenticated RCE.

→

Pivot

Upload bid document with shell-metacharacter filename; ImageMagick processing injects command.

→

Objective

RCE; modify bid amounts; inject fake bids; alter contract awards.

Path B: CSP unsafe-inline + unsafe-eval → stored XSS → bid manipulation

effort hours

detect low (bad)

Entry

CSP allows both unsafe-inline and unsafe-eval; any stored XSS is RCE-equivalent in browser context.

→

Pivot

Inject XSS via bid form (project description, bidder comments). JavaScript steals admin session, modifies bid amounts.

→

Objective

Manipulate procurement outcomes, steal bid secrets pre-award.

Path C: Wildcard cert (*.dghindia.gov.in) → subdomain phishing with valid TLS

effort hours

detect low (bad)

Entry

eMudhra wildcard covers all subdomains.

→

Pivot

Register admin.dghindia.gov.in or api.dghindia.gov.in via DNS hijack/registrar compromise; serve phishing with valid TLS padlock.

→

Objective

Phishing, credential harvesting, malware distribution under trusted TLS.

Path D: Soft-fail SPF + DMARC p=quarantine → procurement BEC

effort hours

detect low (bad)

Entry

Email auth weak.

→

Pivot

Spoof DGH director approving emergency procurement to MoPNG finance.

→

Objective

Fraudulent fund transfer, unauthorised contract award.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · CodeIgniter ImageMagick RCE (CVE-2025-54418) → procurement manipulation

factor ~4×

pre-AI

4 hours (ImageMagick version + payload + upload fuzzing + RCE PoC)

Mythos

1 hour (pre-cached CI4 ImageMagick library, payload mutation, schema-pattern fuzzing)

Path B · CSP unsafe-inline + unsafe-eval → stored XSS → bid manipulation

factor ~4×

pre-AI

3 hours (XSS payload + CSP-bypass + form fuzzing)

Mythos

45 min (XSS library with CSP-safe mutation, auto-discovery)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

critical
Verify CI version ≥ 4.6.2 and switch ImageMagick → GD
Host
dghindia.gov.in / ebidding.dghindia.gov.in
CVE
CVE-2025-54418
Fix
composer show codeigniter/framework | grep 4.6.2. In app/Config/Images.php set imageHandler='gd' (or imagick with strict input validation). Test upload with shell metacharacters in filename.
Owner
Application Development
Validation
Upload of project.jpg;cat /etc/passwd# is rejected
critical
Remove unsafe-inline + unsafe-eval from CSP; nonce-based execution
Host
dghindia.gov.in
Fix
Generate per-request nonce. CSP: default-src 'self'; script-src 'self' 'nonce-{value}'; object-src 'none'.
Owner
Frontend / Security
Validation
curl -i shows CSP without unsafe-inline/eval; injected <script> without nonce blocked
high
Add Referrer-Policy: strict-origin-when-cross-origin
Host
dghindia.gov.in
Fix
Add header globally. Prevents query-string leakage (bid IDs, amounts, bidder names) on outbound clicks.
Owner
Infrastructure / Security
Validation
curl -e 'https://attacker.com' has no Referer in outbound
critical
Upgrade DMARC p=quarantine → p=reject
Host
dghindia.gov.in (email)
Fix
Monitor 30-day rua; then change to p=reject.
Owner
IT / Email Security
Validation
dig _dmarc returns p=reject
critical
Input validation + sanitisation on all e-bidding form fields
Host
ebidding.dghindia.gov.in
Fix
Whitelist allowed characters per field. CodeIgniter $this->validate(['project_name' => 'required|alpha_dash']). Output HTML-encoded. ZAP scan for residual XSS.
Owner
Backend Engineering
Validation
OWASP ZAP XSS scan: 0 findings

Tier 2 · within 30 days

high
DNS CAA records to restrict eMudhra-only issuance
Host
dghindia.gov.in
Fix
'CAA 0 issue "emudhra.com"; CAA 0 issuewild "emudhra.com"'. CT monitoring monthly.
Owner
Infrastructure / PKI
Validation
dig CAA shows eMudhra restriction; crt.sh monthly audit
high
Rate-limit + CAPTCHA on bid submission
Host
ebidding.dghindia.gov.in
Fix
5 bid submissions/user/day; 100/IP/hour. CAPTCHA after 2 validation failures.
Owner
Backend Engineering
Validation
6 rapid submissions → 429 or CAPTCHA
high
Immutable audit logging on bid modifications
Host
ebidding.dghindia.gov.in
Fix
Log all bid CRUD with user/timestamp/old/new values to immutable storage (S3 Object Lock or equivalent). Alert on bid-amount edits.
Owner
Security Operations / DevOps
Validation
Bid edit creates audit entry; deletion attempt fires alert

Directorate General of Hydrocarbons

Path A: CodeIgniter ImageMagick RCE (CVE-2025-54418) → procurement manipulation

Path B: CSP unsafe-inline + unsafe-eval → stored XSS → bid manipulation

Path C: Wildcard cert (*.dghindia.gov.in) → subdomain phishing with valid TLS

Path D: Soft-fail SPF + DMARC p=quarantine → procurement BEC

Verify CI version ≥ 4.6.2 and switch ImageMagick → GD

Remove unsafe-inline + unsafe-eval from CSP; nonce-based execution

Add Referrer-Policy: strict-origin-when-cross-origin

Upgrade DMARC p=quarantine → p=reject

Input validation + sanitisation on all e-bidding form fields

DNS CAA records to restrict eMudhra-only issuance

Rate-limit + CAPTCHA on bid submission

Immutable audit logging on bid modifications