Re: [ISN] DoD offering admin privileges on .mil Web sites

From: InfoSec News (isnat_private)
Date: Mon Jan 27 2003 - 03:03:05 PST

  • Next message: InfoSec News: "[ISN] Tool: Sapphire SQL Worm Scanner"

    Forwarded from: MacRohard <macrohardat_private>
    This story may not be as big as it seems. It has always been possible
    to apply for a .mil domain using the domain templates available
    initially from and later on (even now
    infact @ The form
    found on the web may not do much more than complete and email one of
    these templates to hostmasterat_private who would probably check a few
    details, chuckle to himself and delete the email.
    On Sat, 25 Jan 2003, InfoSec News wrote:
    > By Thomas C Greene in Washington
    > Posted: 24/01/2003 at 21:22 GMT
    > Care to register a .mil Web site of your own for free? The DoD has
    > gone out of its way to make it a snap. An unbelievably
    > badly-protected admin interface welcomes you to register whatever
    > domain you please ( anyone?), or edit anything
    > they've already got. The interface is so ludicrously unprotected
    > that it's been cached by Google and fails to mention that you must
    > be authorized to muck about with it. Incredibly, default passwords
    > are cheerfully provided on the page.
    > Following an anonymous tip from an observant Reg reader, we've
    > encountered the page in question in the Google cache, and after a
    > bit of our own poking about have also discovered an equally
    > unprotected (and Google-cached) admin interface encouraging us to
    > add a new user, like ourselves, say, which requires no
    > authentication.
    > All you have to do is find that page and you can set yourself up
    > with a user account, manage your new .mil Web site, fiddle about
    > with other people's .mil Web sites, and generally make an incredible
    > nuisance of yourself. We are, of course, straining against every
    > natural, journalistic impulse in our beings by neglecting to mention
    > any useful search strings with which to find it.
    > Another unprotected and cached page, this one discovered by our
    > tipster, lists traffic to a major DoD Web site by URL/IP address.
    > This worries us because it may list .mil sites and networked DoD
    > machines that are not public, not hotlinked anywhere, and which
    > might contain (or be networked with other machines that contain)
    > sensitive data.  Merely knowing that all those URLs and IP addys are
    > valid and owned by DoD would give a significant advantage to
    > attackers by narrowing their target area dramatically.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 05:46:55 PST