Black Star, Open Files

Ghana's national drug safety database feeds the WHO's global VigiBase. Its production database credentials were committed to a public git repository. So was the Ghana Armed Forces recruitment portal's encryption key. Nine domains. No login required.

Views: ...

2 CRITICAL GHANA WHO PIPELINE OSINT Investigation

Campaign Statistics

A targeted sweep of Ghana's government digital surface — public git repositories associated with .gov.gh and .mil.gh domains — produced the following results. All data was retrieved from repositories that required no authentication to clone or browse.

~1.1 GBEvidence Collected
9Domains Audited
2CRITICAL Findings
1WHO-Connected System Affected
1Live DB Credential Set Exposed
1Production Encryption Key Exposed
3Military Branches Affected
4Repos with Substantive Data

One git clone Command

It started as it usually does: a terminal and a domain list.

git clone https://adr.fdaghana.gov.gh/.git .

The repository cloned without authentication. The Ghana Food and Drugs Authority's adverse drug reaction reporting system — the platform that collects patient safety data from hospitals, pharmacists, and the pharmaceutical industry across Ghana, then submits it to the World Health Organization's global VigiBase database — had its full source code in a publicly accessible git repository. Two directories in was icsrs/conn.php: a live PDO connection string with a hostname, a database name, a username, and a plaintext password. Not a placeholder. Not a test fixture. The credentials for the production system that feeds the world's largest drug safety surveillance database.

The second repository — apply.mil.gh, the Ghana Armed Forces' online application portal — was 667 megabytes. The .env file in the root of the working tree contained the production APP_KEY: the symmetric encryption secret that Laravel uses to sign every cookie, encrypt every session, and validate every CSRF token issued to every person who applies to join the Ghana Army, Navy, or Air Force.

No exploit was used. No credentials were brute-forced. No firewall was bypassed. Both repositories were publicly reachable with a standard git clone. The Ghana military and the Ghana FDA's pharmacovigilance infrastructure were, in practice, open to anyone who thought to look.

Why This Matters

Most credential exposures are contained. A leaked API key for a marketing tool is bad but bounded. What ODINT found in adr.fdaghana.gov.gh is different in kind: the Ghana FDA's adverse drug reporting system is not a standalone database. It is a node in a global surveillance network.

WHO's VigiBase receives ADR reports from National Pharmacovigilance Centres in 130 countries — over 40 million reports accumulated since 1968. Each National Centre submits in E2B XML format, and the Ghana FDA's ICSRS is the software that generates those submissions. The Vigibase2b.php, e2bgenerator.php, and batchvalidation.php files in the repository implement this pipeline end to end. Whoever can authenticate to fdbmain can read the patient-level ADR records before they are aggregated and submitted. They can also observe which drugs Ghana is flagging for adverse effects before those signals propagate to global regulatory authorities.

On the military side, the exposure is structural rather than data-level. The apply.mil.gh repository does not contain a production database of applicants — the SQLite file is not committed. But the APP_KEY is the foundation of every trust assertion Laravel makes. Combined with any secondary disclosure that yields a session identifier, it converts to an authentication bypass for recruitment administrators.

Targets Audited

Health and Drug Safety

adr.fdaghana.gov.gh
Ghana Food and Drugs Authority — Integrated Case Reporting System (ICSRS) / Pharmacovigilance Platform
Vector: Public git repository — no authentication required Size: 451 MB Status: CRITICAL — live credentials in source

Defense and Military

apply.mil.gh
Ghana Armed Forces — Online Application Portal (Army / Navy / Air Force recruitment)
Vector: Public git repository — no authentication required Size: 667 MB (327 MB git objects) Status: CRITICAL — production APP_KEY in .env
mail.apply.mil.gh
Ghana Armed Forces — Mail server for recruitment portal
Vector: Repository directory accessible, no content committed Status: Enumerated — empty

Investment and Commerce

asset.gipc.gov.gh / assetadmin.gipc.gov.gh
Ghana Investment Promotion Centre — ALMA Asset Lifecycle Management and Analytics Engine
Vector: Public git repository — full React build committed Size: 13 MB + 9.4 MB Status: HIGH — system internals exposed, no server-side credentials found

Enumerated / No Content

ghartisans.yea.gov.gh / nmi.nmc.gov.gh / online.dvla.gov.gh / portal.healthtraining.gov.gh
Youth Employment Authority / National Media Commission / DVLA / Health Training Institutions
Vector: Repository directories accessible, no data committed Status: Enumerated — empty

Critical Findings

adr.fdaghana.gov.gh — Live database credentials for WHO-connected pharmacovigilance system CRITICAL
File: icsrs/conn.php Database: fdbmain Downstream: WHO VigiBase
The icsrs/conn.php file contains a PDO connection string with a live hostname, database name, username, and password committed in plaintext. A second file, icsrs/constants.php, contains the AUTH_KEY and CLIENT_KEY used to authenticate against the system's REST API layer. The ICSRS is the software that aggregates adverse drug event reports from across Ghana's health sector and submits them in E2B XML to WHO's Uppsala Monitoring Centre. The repository contains the full submission pipeline: Vigibase2b.php (WHO SOAP client), e2bgenerator.php (E2B XML generation), batchvalidation.php (ICH E2B schema validation), and patient-level intake forms (addareport.php, onlinepatientsave.php). Clinical subdirectories include drug reaction histories, lab forms, vaccine-specific reporting (COVID and routine), and batch submission logs. The PHP code uses raw string concatenation in SQL queries in multiple files — SQL injection risk on top of the credential exposure.
// icsrs/conn.php $con = new PDO('mysql:host=localhost:3306;dbname=fdbmain;', '[USER]', '[PASS-IN-REPO]'); // icsrs/constants.php define('AUTH_KEY', '[REDACTED]'); define('CLIENT_KEY', '[REDACTED]');
apply.mil.gh — Production APP_KEY in public Ghana Armed Forces recruitment repository CRITICAL
File: .env Framework: Laravel 11 Scope: Army, Navy, Air Force
The .env file committed at the root of the repository contains the production APP_KEY — a base64-encoded 32-byte secret used by Laravel for all symmetric encryption: cookie signing, session payload encryption, and CSRF token generation. The same file sets APP_DEBUG=true and APP_ENV=local in production, enabling error disclosure. The application covers every intake track for the Ghana Military Academy: Regular Commission, Short Service Commission, Officer Cadet, Special Medical Intake, and enlisted recruits for the Army, Navy, Air Force, Medical Corps, Band Corps, and Tri-Service programme. The repository includes 667 MB of committed content — 327 MB of git object history — including operational military photographs of Ghana Military Academy personnel and facilities (1M3A, PJAY, _MG_ series naming conventions). The database schema migrations expose the applicant data model: name, email, password hash, session identifiers, and IP address logging.
// .env (committed to public repository) APP_NAME=Laravel APP_ENV=local APP_KEY=base64:[REDACTED — 32-byte production encryption key] APP_DEBUG=true DB_CONNECTION=sqlite SESSION_DRIVER=database
GIPC ALMA — Investment management system frontend fully enumerable HIGH
System: ALMA — Asset Lifecycle Management and Analytics Engine Size: 22 MB total
The Ghana Investment Promotion Centre's internal asset management platform — tracking physical assets for the statutory body that approves all foreign direct investment in Ghana — has its full React frontend committed to public repositories. Both the user portal (asset.gipc.gov.gh) and the administrative interface (assetadmin.gipc.gov.gh) are enumerable including JavaScript bundle hashes, component identifiers, and the application's purpose. No server-side credentials were found in these static builds. The exposure documents that GIPC runs a custom asset lifecycle system and reveals its full client-side implementation.

The WHO Pipeline

The significance of the FDA finding extends beyond a single credential set. The VigiBase pipeline is worth mapping explicitly.

Ghana's National Pharmacovigilance Centre collects ADR reports through the ICSRS. Healthcare providers submit through addareport.php. Patients submit through onlinepatientsave.php. The system validates each report against ICH E2B R2 schema using batchvalidation.php, generates E2B XML using e2bgenerator.php, and submits batches to WHO's Uppsala Monitoring Centre via Vigibase2b.php — a SOAP client built on NuSOAP 1.0. Individual case reports, batch submission records, and VigiBase response acknowledgements are all stored in fdbmain, the database whose credentials were in the public repository.

WHO issues safety signals — alerts that trigger regulatory action, drug recalls, and prescribing guideline updates worldwide — based on VigiBase data. Access to a national reporting pipeline before WHO aggregation would allow an observer to see which drugs Ghana is flagging for adverse effects before those signals propagate to global regulatory authorities.

Raw Data and Downloads

Ghana — Full Collection — 9 domains, ~1.1 GB
Browse
CREDENTIALS-MASTER.md — Complete technical breakdown with credentials, schema analysis, and remediation steps
View
ADR-FDAGHANA — Ghana FDA pharmacovigilance source including connection files and WHO submission pipeline (451 MB)
Browse
MILITARY-RECRUITMENT — Ghana Armed Forces recruitment portal full Laravel source (667 MB)
Browse
GIPC-ASSET — Investment Promotion Centre ALMA frontend builds (22 MB)
Browse

What This Means

Ghana's failure here is a version control failure, not a firewall misconfiguration or an unpatched server. Someone committed production secrets to repositories that were publicly accessible, and no automated or manual process caught it before ODINT did.

  • Public git repositories for production code with no secrets-scanning gate. Both the FDA system and the military portal have .gitignore files that were supposed to exclude .env and conn.php — exclusion was not enforced before push.
  • Production credentials in connection files committed alongside application code. The conn.php pattern has been documented as an insecure anti-pattern since at least 2012. The FDA system uses it across multiple modules.
  • App keys and debug flags set for local development deployed to production without environment differentiation. APP_ENV=local in production is a structural indicator that staging and production pipelines are not separated.
  • SQL injection risk on top of credential exposure. Multiple FDA ICSRS files use raw string concatenation to build SQL queries against fdbmain — the same database whose credentials were public.

For the Ghana FDA: rotate the database credentials for fdbmain immediately. Revoke and reissue the AUTH_KEY and CLIENT_KEY. Audit whether fdbmain accepts remote connections. Move all credentials to environment variables managed outside version control. Audit the ICSRS codebase for SQL injection. For the Ghana Armed Forces: rotate the APP_KEY on the production server — all active sessions will be invalidated. Remove .env from the repository's git history using git-filter-repo or BFG Repo-Cleaner. Disable APP_DEBUG in production.

OSINT Disclaimer

This report is based entirely on open-source intelligence (OSINT). No classified information was accessed. No confidential sources were used. No systems were breached. No authentication mechanisms were bypassed. All source code referenced in this investigation was publicly served from git repositories without access controls at the time of collection (2026-04).

The repositories at adr.fdaghana.gov.gh and apply.mil.gh cloned without authentication and returned working-tree content including configuration files. Every file described in this report was obtained through a standard git clone of a publicly accessible repository.

ODINT has notified Ghana's Cyber Security Authority (cybersecurity.gov.gh), the Ghana Food and Drugs Authority, and the Ghana Armed Forces via the Ministry of Defence concurrent with this publication, in line with our coordinated disclosure policy.

Compiled 2026-06-08 — Classification: OSINT — Open Source
Observatory for Digital Infrastructure and Network Transparency (ODINT)

Donate