Re: U.S. Army Thinks Different

B.K. DeLong (
Fri, 10 Sep 1999 15:17:58 -0400

A little insider-information on the "U.S. Army" defacement.

Back in 1997, a nice big hole was found in Cold Fusion's server software.
One of the applications that automatically installed in the /cfdocs/
directory would allow anyone to read and upload files to the server. With a
little unique programming, a file could be sent over to the server allowing
full read-write capabilities for the entire NT machine. This file was
created and made available to the public. (see

Shortly after this was made public, (read: same day), the L0pht notified
the administrator of www. that his Web site was vulnerable. They
fixed it. However, being the bright, computer savvy people they are, they
forgot to make similar changes for through Oops.

Let's just say it was a target that a former Cold Fusion hacker couldn't

There were over 400 Web site defacements due to the Cold Fusion bugs and
all Allaire chose to do was issue a security bulletin to their "registered"
users. If a 15 year old high schooler can write a simple script to scan the
entire Web for servers vulnerable to this Cold Fusion hole, then Allaire
certainly could have done it and it would have been worth it to shell out
the extra money to pay someone to e-mail the administrators of each site
notifying them about the hole and explaining how to fix it.

So rather than being security-smart and defending their machines, the US
Army has decided to switch to an operating system they believe is secure
because of its limitations. Oops.

B.K. DeLong 
Research Lead
ZOT Group