Re: DoD offering admin privileges on .mil Web sites

[InfoSec News <isn () c4i org>]

Forwarded from: MacRohard <macrohard () lilofree net>

This story may not be as big as it seems. It has always been possible
to apply for a .mil domain using the domain templates available
initially from rs.internic.net and later on nic.ddn.mil (even now
infact @ www.nic.mil/ftp/templates/domain-template.txt). The form
found on the web may not do much more than complete and email one of
these templates to hostmaster () ddn mil who would probably check a few
details, chuckle to himself and delete the email.

-MacRohard

On Sat, 25 Jan 2003, InfoSec News wrote:

> http://www.theregister.co.uk/content/55/29026.html
>
> By Thomas C Greene in Washington
> Posted: 24/01/2003 at 21:22 GMT
>
> Care to register a .mil Web site of your own for free? The DoD has
> gone out of its way to make it a snap. An unbelievably
> badly-protected admin interface welcomes you to register whatever
> domain you please (http://Rotten.mil anyone?), or edit anything
> they've already got. The interface is so ludicrously unprotected
> that it's been cached by Google and fails to mention that you must
> be authorized to muck about with it. Incredibly, default passwords
> are cheerfully provided on the page.
>
> Following an anonymous tip from an observant Reg reader, we've
> encountered the page in question in the Google cache, and after a
> bit of our own poking about have also discovered an equally
> unprotected (and Google-cached) admin interface encouraging us to
> add a new user, like ourselves, say, which requires no
> authentication.
>
> All you have to do is find that page and you can set yourself up
> with a user account, manage your new .mil Web site, fiddle about
> with other people's .mil Web sites, and generally make an incredible
> nuisance of yourself. We are, of course, straining against every
> natural, journalistic impulse in our beings by neglecting to mention
> any useful search strings with which to find it.
>
> Another unprotected and cached page, this one discovered by our
> tipster, lists traffic to a major DoD Web site by URL/IP address.
> This worries us because it may list .mil sites and networked DoD
> machines that are not public, not hotlinked anywhere, and which
> might contain (or be networked with other machines that contain)
> sensitive data.  Merely knowing that all those URLs and IP addys are
> valid and owned by DoD would give a significant advantage to
> attackers by narrowing their target area dramatically.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.